Rewrite advanced_search_status_marker to be vue app
Background
83310410 introduced a method to display a label to explain to users why advanced search might be disabled during code search:
"Advanced search is disabled since branch-name
is not the default branch."
This implementation depends on html_safe
to work and it contains user-controller content by displaying the ref_name
(branch or tag) which could easily open a vulnerability.
1 | 2 | 3 |
---|---|---|
![]() |
![]() |
![]() |
Proposal
I propose to rewrite this part of the UI to vue. Using best practice. Vue will alow us to write this in a 1000% simpler way that is clear and legible and harder to break when tempered with and helps us inch towards the whole page being one Vue. Which has many benefits.
Some of which being:
- Using the page-wide state to determine which search is being used.
- Cleaner straight forward code.
- Faster tests.
Original discussion
The following discussion from !130502 (merged) should be addressed:
-
@project_34814626_bot_8d1c07629ea2f2f7827e52c73ef57f5d started a discussion: (+3 comments) The findings below have been detected based on the AppSec custom SAST rules. For more information about this bot and what to do with this comment head over to the README. The following lines of code possibly need attention:
-
ee/app/helpers/ee/search_helper.rb
line 125:html_safe
usage is risky and frequently leads to XSS. Please review carefully to make sure that no unsanitized user input can reach message.
-