XSS _after_ selecting malicious username string

https://hackerone.com/reports/402658

** How this is different from the previous issue **

https://gitlab.com/gitlab-org/gitlab-ee/issues/5892

The script is still triggered after the malicious name has been selected, when it is rendered in the text box.

MergeRequestApproverXSS

From HackerOne report:

Steps to reproduce:

  • Open project settings
  • paste in this field link777
  • click on result

In the username, a XSS poc should be written, like mine.

Impact

The security impact is the same as any typical persistent xss.

Gitlab Security Team Verification

This was verified against gdk version GitLab Enterprise Edition 11.3.0-pre