EE - Improve slash command stripping, escape temporary note contents
What does this MR do?
This MR is an EE port of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/11341
Fixes two bugs around Instant comments that were introduced in %9.2 with https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/10760
-
Comment contents shown as temporary note is vulnerable to XSS (writing
<script>alert('Boom!');</script>is not escaped). -
Slash command stripping should also include parameters provided to slash command.
Why was this MR needed?
This MR fixes regression around Instant comments feature as mentioned above.
Screenshots (if relevant)
Does this MR meet the acceptance criteria?
[ ] Changelog entry added, if necessary[ ] Documentation created/updated[ ] API support added- Tests
-
Added for this feature/bug -
All builds are passing
-
-
Conform by the merge request performance guides -
Conform by the style guides -
Branch has no merge conflicts with master(if it does - rebase it please) -
Squashed related commits together
What are the relevant issue numbers?
Merge request reports
Activity
marked the checklist item Conform by the merge request performance guides as completed
marked the checklist item Conform by the style guides as completed
marked the checklist item Squashed related commits together as completed
changed milestone to %9.2
added 10 commits
-
31d11a12...b305027d - 8 commits from branch
master - 859d9804 - Improve slash command stripping, escape temporary note contents
- c0c340c1 - Update tests for slash commands
-
31d11a12...b305027d - 8 commits from branch
enabled an automatic merge when the pipeline for c0c340c1 succeeds
mentioned in commit fdbf646d
mentioned in commit 3e779d18
