Cross-site scripting XSS attack when selecting author filter in issue search bar
Summary
There is a cross-site scripting XSS attack when selecting an author filter in the issue search bar when the user's profile name has malicious script in it.
Steps to reproduce
- Visit https://gitlab.com/profile
- Edit your Name to include the following text
" onload="alert('hi')">
- Visit https://gitlab.com/gitlab-org/gitlab-ce/issues/
- In the filter bar type 'author:' and select your profile.
What is the current bug behavior?
JavaScript alert hi appears
What is the expected correct behavior?
Malicious script should be encoded correctly in the alt tag of the avatar as well as the inner html.