Editing a comment containing <script> tags executes it.
Summary
When a comment on an issue contains a HTML script-tag it gets executed on save when editing that comment.
Steps to reproduce
- Leave a comment containing
<script>alert("foo");</script>
. You may even put it in backtick-quotes, it won't change the outcome. - Save the comment.
- Click on the edit icon.
- Save again -> Your browser should alert "foo".
Note: This only works for comments, not the issue itself (i.e. the original post).
What is the current bug behavior?
Arbitrary JS code can be executed. I'm not quite sure how you could abuse this (make someone quote your own comment, hope for them to edit theirs…) but it's definitely a security issue. I'm gonna flag this as confidential since I don't know exactly how bad it is.
What is the expected correct behavior?
Escape properly, don't let arbitrary code get executed.
Output of checks
This bug happens on GitLab.com
Edited by Gandalf