XSS in url_for(params)
Click the feed icon at the top, and you'll get an alert box
We need to:
- Audit all current uses of
url_forwhere we modify params.
- Replace those with a
- Either add a RuboCop rule for
url_forwithout the argument being
safe_params, or create a follow-up issue.
Because of https://gitlab.com/gitlab-org/gitlab-ce/merge_requests/18241, the patch will be slightly different for 10.7 and below to 10.8 and above.