Cross-Site Scripting Warning in app/controllers/projects/merge_requests_controller.rb
Created by: mbtuchman
Discovery date:
2015-11-12
Source:
static code analysis
Confidence level:
Medium
Issue:
Unescaped model attribute rendered inline in app/controllers/projects/merge_requests_controller.rb:54
Project.find_with_namespace([params[:namespace_id], "/", params[:id]].join("")).merge_requests.find_by!(:iid => params[:id]).to_patch(current_user)
SOLUTION: fix the issue in app/controllers/projects/merge_requests_controller.rb
NOTES: XSS occurs when a user-manipulatable value is displayed on a web page without escaping it, allowing someone to inject Javascript or HTML into the page.