From 1aaeb6d8c18760d636580a0e7152eb5fc5ea950b Mon Sep 17 00:00:00 2001 From: Igor Drozdov Date: Tue, 16 Apr 2019 16:29:37 +0300 Subject: [PATCH] Escape path in new merge request mail --- app/views/notify/new_merge_request_email.html.haml | 2 +- changelogs/unreleased/security-id-email-xss.yml | 5 +++++ 2 files changed, 6 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/security-id-email-xss.yml diff --git a/app/views/notify/new_merge_request_email.html.haml b/app/views/notify/new_merge_request_email.html.haml index db23447dd39..78de5548dad 100644 --- a/app/views/notify/new_merge_request_email.html.haml +++ b/app/views/notify/new_merge_request_email.html.haml @@ -3,7 +3,7 @@ #{link_to @merge_request.author_name, user_url(@merge_request.author)} created a merge request: %p.details - != merge_path_description(@merge_request, '→') + = merge_path_description(@merge_request, '→') - if @merge_request.assignee_id.present? %p diff --git a/changelogs/unreleased/security-id-email-xss.yml b/changelogs/unreleased/security-id-email-xss.yml new file mode 100644 index 00000000000..36c00a70c6a --- /dev/null +++ b/changelogs/unreleased/security-id-email-xss.yml @@ -0,0 +1,5 @@ +--- +title: Escape path in new merge request mail +merge_request: +author: +type: security -- GitLab