XSS vulnerability in admin feature to send email notification

Summary

The /admin/email endpoint is vulnerable to Cross Site Scripting (XSS) attack, as originally reported by @jbroullon in https://gitlab.com/gitlab-org/security/gitlab/merge_requests/50#note_271320217.

Steps to reproduce

Log in as an admin
Add a malicious script to a group name
- Open any group
- Select Settings > General in the left sidebar
- Add this to the "Group name": <SCRIPT>alert('ATTACKED!')</SCRIPT>
- Click to "Save changes"
Confirm the malicious script is executed on the "Send email notification" page
- Go to /admin/email
- Click the "Recipient group" dropdown input to open it
- See an alert appear with the text "ATTACKED!"

What is the current bug behavior?

User input is treated as trusted.

What is the expected correct behavior?

User input is not treated as trusted.

Relevant logs and/or screenshots

Similar to #30173 (closed) and #197302 (closed).

Output of checks

This bug happens on GitLab.com

Possible fixes

Escape using sanitizeItem()
Escape before saving to the database (but there is strange behavior with this)

Edited Feb 03, 2020 by Jeremy Matos