You need to sign in or sign up before continuing.

Cross-site scripting XSS attack when selecting author filter in issue search bar

Summary

There is a cross-site scripting XSS attack when selecting an author filter in the issue search bar when the user's profile name has malicious script in it.

Steps to reproduce

Visit https://gitlab.com/profile
Edit your Name to include the following text " onload="alert('hi')">
Visit https://gitlab.com/gitlab-org/gitlab-ce/issues/
In the filter bar type 'author:' and select your profile.

What is the current bug behavior?

JavaScript alert hi appears

What is the expected correct behavior?

Malicious script should be encoded correctly in the alt tag of the avatar as well as the inner html.

Possible fixes

See https://gitlab.com/gitlab-org/gitlab-ce/blob/master/app/assets/javascripts/filtered_search/filtered_search_visual_tokens.js