Skip to content
Snippets Groups Projects
Select Git revision
  • morefice-master-patch-99906
  • master default protected
  • 208412-fj-create-group-features-table-and-basics
  • 326701-move-vsa-filters-to-ce
  • stkerr-self-managed-doc-tag
  • 338902-add-global-tabs-feature-flags
  • 218173-ci-resource_group-not-working-when-using-ci_environment_name-directly
  • 338730-rubocop-rule-to-prevent-subtransactions
  • 335638-devops-adoption-add-an-adoption-table-in-the-overview-tab
  • 332891-improve-pipeline-creation-instrumentation
  • 338039-dast-profiles-readme
  • 330707-pipeline-graphql-nplusone
  • dz-integrated-error-tracking-expose-dsn
  • 332258-replace-dropdowntitle-component-with-sidebareditableitem
  • pks-drop-squash-in-progress
  • 14-0-stable-ee-patch-8
  • jnnkl-gitlab-ui-32.2.3
  • feature/gb/reduce-thresholds-for-subtransactions-logging
  • dz-integrated-error-tracking-doc
  • ci-skip-processing-failed-traces
  • v14.2.0-ee
  • v14.2.0-rc42-ee
  • v14.1.3-ee
  • v13.12.10-ee
  • v13.12.9-ee
  • v14.0.7-ee
  • v14.1.2-ee
  • v14.1.1-ee
  • v14.1.0-ee
  • v14.1.0-rc43-ee
  • v14.0.6-ee
  • v14.1.0-rc42-ee
  • v14.0.5-ee
  • v13.11.7-ee
  • v13.12.8-ee
  • v14.0.4-ee
  • v14.0.3-ee
  • v13.12.7-ee
  • v13.11.6-ee
  • v13.12.6-ee
40 results

security-fix-markdown-xss.yml

Forked from GitLab.org / GitLab
Source project has a limited visibility.
  • Jan Provaznik's avatar
    06a7bcb3
    Re-escape whole HTML content instead of only match · 06a7bcb3
    Jan Provaznik authored 
    When we un-escape HTML text to find references in it, we should then
re-escape the whole text again, not only found matches.

Because we replace matches with milestone/label links (which contain
HTML tags we don't want to escape again), we re-escape HTML text
with placeholders instead of these links and then replace placeholders
in the escaped text.
    06a7bcb3
    History
    Re-escape whole HTML content instead of only match
    Jan Provaznik authored 
    When we un-escape HTML text to find references in it, we should then
re-escape the whole text again, not only found matches.

Because we replace matches with milestone/label links (which contain
HTML tags we don't want to escape again), we re-escape HTML text
with placeholders instead of these links and then replace placeholders
in the escaped text.