• Douwe Maan's avatar
    Merge branch 'rs-issue-15126' into 'master' · 2c9cd67f
    Douwe Maan authored
    Remove persistent XSS vulnerability in `commit_person_link` helper
    
    Because we were incorrectly supplying the tooltip title as
    `data-original-title` (which Bootstrap's Tooltip JS automatically
    applies based on the `title` attribute; we should never be setting it
    directly), the value was being passed through as-is.
    
    Instead, we should be supplying the normal `title` attribute and letting
    Rails escape the value, which also negates the need for us to call
    `sanitize` on it.
    
    Closes https://gitlab.com/gitlab-org/gitlab-ce/issues/15126
    
    See merge request !1948
    Signed-off-by: Rémy Coutable's avatarRémy Coutable <remy@rymai.me>
    2c9cd67f
Name
Last commit
Last update
..
admin Loading commit data...
dashboard Loading commit data...
explore Loading commit data...
group Loading commit data...
profile Loading commit data...
project Loading commit data...
snippets Loading commit data...
steps Loading commit data...
support Loading commit data...
abuse_report.feature Loading commit data...
groups.feature Loading commit data...
invites.feature Loading commit data...
search.feature Loading commit data...
snippet_search.feature Loading commit data...
user.feature Loading commit data...