Merge branch 'security-11-7-55320-stored-xss-in-user-status' into 'security-11-7'

[11.7] Use sanitized user status message in user popover See merge request gitlab/gitlabhq!2839 (cherry picked from commit e5d355eb04e165fa1b9ccce1253b909a785d4bed) 21e70bba Use sanitized user status message for user popover

Merge branch 'security-11-7-55320-stored-xss-in-user-status' into 'security-11-7'
b02315be · Tim Zallmann · Yorick Peterse · 3424476b · b02315be · b02315be
Commit b02315be authored 6 years ago by Tim Zallmann Committed by Yorick Peterse 6 years ago
--- a/app/assets/javascripts/vue_shared/components/user_popover/user_popover.vue
+++ b/app/assets/javascripts/vue_shared/components/user_popover/user_popover.vue
@@ -28,10 +28,10 @@ export default {
  },
  computed: {
    statusHtml() {
-      if (this.user.status.emoji && this.user.status.message) {
-        return `${glEmojiTag(this.user.status.emoji)} ${this.user.status.message}`;
-      } else if (this.user.status.message) {
-        return this.user.status.message;
+      if (this.user.status.emoji && this.user.status.message_html) {
+        return `${glEmojiTag(this.user.status.emoji)} ${this.user.status.message_html}`;
+      } else if (this.user.status.message_html) {
+        return this.user.status.message_html;
      }
      return '';
    },

--- a/changelogs/unreleased/security-11-7-55320-stored-xss-in-user-status.yml
+++ b/changelogs/unreleased/security-11-7-55320-stored-xss-in-user-status.yml
+---
+title: Use sanitized user status message for user popover
+merge_request:
+author:
+type: security
--- a/spec/javascripts/vue_shared/components/user_popover/user_popover_spec.js
+++ b/spec/javascripts/vue_shared/components/user_popover/user_popover_spec.js
@@ -122,7 +122,7 @@ describe('User Popover Component', () => {
  describe('status data', () => {
    it('should show only message', () => {
      const testProps = Object.assign({}, DEFAULT_PROPS);
-      testProps.user.status = { message: 'Hello World' };
+      testProps.user.status = { message_html: 'Hello World' };
  
      vm = mountComponent(UserPopover, {
        ...DEFAULT_PROPS,
@@ -134,12 +134,12 @@ describe('User Popover Component', () => {
  
    it('should show message and emoji', () => {
      const testProps = Object.assign({}, DEFAULT_PROPS);
-      testProps.user.status = { emoji: 'basketball_player', message: 'Hello World' };
+      testProps.user.status = { emoji: 'basketball_player', message_html: 'Hello World' };
  
      vm = mountComponent(UserPopover, {
        ...DEFAULT_PROPS,
        target: document.querySelector('.js-user-link'),
-        status: { emoji: 'basketball_player', message: 'Hello World' },
+        status: { emoji: 'basketball_player', message_html: 'Hello World' },
      });
  
      expect(vm.$el.textContent).toContain('Hello World');