Download as
Browse Code »

Commit db8baf2895f111652699c5b48d8cb2663eed6c3f

Authored by Dmitriy Zaporozhets
1 parent d0646bab
Exists in master and in 4 other branches 6-8-stable, 7-0-stable, 7-0-stable-spb, spb-stable

Since search_autocomplete_source rendered with raw all human input should be san… 

…itized to prevent XSS
Showing 1 changed file with 10 additions and 10 deletions   Show diff stats
app/helpers/application_helper.rb
  Diff comments   View file @db8baf2
@@ -72,7 +72,7 @@ module ApplicationHelper @@ -72,7 +72,7 @@ module ApplicationHelper
72 end 72 end
73 73
74 def search_autocomplete_source 74 def search_autocomplete_source
75 - projects = current_user.authorized_projects.map { |p| { label: "project: #{p.name_with_namespace}", url: project_path(p) } } 75 + projects = current_user.authorized_projects.map { |p| { label: "project: #{simple_sanitize(p.name_with_namespace)}", url: project_path(p) } }
76 groups = current_user.authorized_groups.map { |group| { label: "group: #{simple_sanitize(group.name)}", url: group_path(group) } } 76 groups = current_user.authorized_groups.map { |group| { label: "group: #{simple_sanitize(group.name)}", url: group_path(group) } }
77 teams = current_user.authorized_teams.map { |team| { label: "team: #{simple_sanitize(team.name)}", url: team_path(team) } } 77 teams = current_user.authorized_teams.map { |team| { label: "team: #{simple_sanitize(team.name)}", url: team_path(team) } }
78 78
@@ -98,15 +98,15 @@ module ApplicationHelper @@ -98,15 +98,15 @@ module ApplicationHelper
98 project_nav = [] 98 project_nav = []
99 if @project && @project.repository && @project.repository.root_ref 99 if @project && @project.repository && @project.repository.root_ref
100 project_nav = [ 100 project_nav = [
101 - { label: "#{@project.name_with_namespace} - Issues", url: project_issues_path(@project) },  
102 - { label: "#{@project.name_with_namespace} - Commits", url: project_commits_path(@project, @ref || @project.repository.root_ref) },  
103 - { label: "#{@project.name_with_namespace} - Merge Requests", url: project_merge_requests_path(@project) },  
104 - { label: "#{@project.name_with_namespace} - Milestones", url: project_milestones_path(@project) },  
105 - { label: "#{@project.name_with_namespace} - Snippets", url: project_snippets_path(@project) },  
106 - { label: "#{@project.name_with_namespace} - Team", url: project_team_index_path(@project) },  
107 - { label: "#{@project.name_with_namespace} - Tree", url: project_tree_path(@project, @ref || @project.repository.root_ref) },  
108 - { label: "#{@project.name_with_namespace} - Wall", url: wall_project_path(@project) },  
109 - { label: "#{@project.name_with_namespace} - Wiki", url: project_wikis_path(@project) }, 101 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Issues", url: project_issues_path(@project) },
  102 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Commits", url: project_commits_path(@project, @ref || @project.repository.root_ref) },
  103 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Merge Requests", url: project_merge_requests_path(@project) },
  104 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Milestones", url: project_milestones_path(@project) },
  105 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Snippets", url: project_snippets_path(@project) },
  106 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Team", url: project_team_index_path(@project) },
  107 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Tree", url: project_tree_path(@project, @ref || @project.repository.root_ref) },
  108 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Wall", url: wall_project_path(@project) },
  109 + { label: "#{simple_sanitize(@project.name_with_namespace)} - Wiki", url: project_wikis_path(@project) },
110 ] 110 ]
111 end 111 end
112 112