XSS vulnerability on custom project templates form

Summary

The "custom project templates" form is vulnerable to Cross Site Scripting (XSS) attack, as originally reported by @jbroullon in https://gitlab.com/gitlab-org/security/gitlab/merge_requests/50#note_271210097.

Steps to reproduce

• Log in as an admin
• Add a malicious script to a group name
  • Open any group
  • Select Settings > General in the left sidebar
  • Add this to the "Group name": <SCRIPT>alert('ATTACKED!')</SCRIPT>
  • Click to "Save changes"
• Confirm the malicious script is executed on the "Custom project templates" page
  • Go to Settings > Custom project templates
  • Click the group search dropdown input to open it
  • See an alert appear with the text "ATTACKED!"

What is the current bug behavior?

User input is treated as trusted.

What is the expected correct behavior?

User input is not treated as trusted.

Relevant logs and/or screenshots

Similar to #30173 (closed) and #197301 (closed).

Output of checks

This bug happens on GitLab.com

Possible fixes

• Escape using sanitizeItem()
• Escape before saving to the database (but there is strange behavior with this)