Merge branch '48617-promoting-milestone' into 'master'

[master] Escapes milestone title shown in flash message when promoting a milestone See merge request gitlab/gitlabhq!2436
author: Felipe Artur Cardozo <fcardozo@gitlab.com> 2018-07-27 00:16:34 +0300
committer: Felipe Artur Cardozo <fcardozo@gitlab.com> 2018-07-27 00:16:34 +0300
commit: 45c94aba1b90dbe86c5583c8782cc3f624249fa1 (patch)
tree: 94c1f356586495318cad13a4ef04ad52a7835e3c /spec/controllers
parent: 9852304befb88cd112cb681ff5cca0c31cd2ddd4 (diff)
parent: dfe0981deceddb9c927fa503aed77d1a97040d60 (diff)
2 files changed, 16 insertions, 0 deletions
diff --git a/spec/controllers/projects/labels_controller_spec.rb b/spec/controllers/projects/labels_controller_spec.rb
index 273702e6d21..e03d23bcdf6 100644
--- a/spec/controllers/projects/labels_controller_spec.rb
+++ b/spec/controllers/projects/labels_controller_spec.rb
@@ -143,6 +143,14 @@ describe Projects::LabelsController do
         expect(GroupLabel.find_by(title: promoted_label_name)).not_to be_nil
       end
 
+      it 'renders label name without parsing it as HTML' do
+        label_1.update!(name: 'CCC&lt;img src=x onerror=alert(document.domain)&gt;')
+
+        post :promote, namespace_id: project.namespace.to_param, project_id: project, id: label_1.to_param
+
+        expect(flash[:notice]).to eq("CCC&lt;img src=x onerror=alert(document.domain)&gt; promoted to <a href=\"#{group_labels_path(project.group)}\"><u>group label</u></a>.")
+      end
+
       context 'service raising InvalidRecord' do
         before do
           expect_any_instance_of(Labels::PromoteService).to receive(:execute) do |label|
diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb
index ea906cf7f32..6c2d1c7e92b 100644
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -127,6 +127,14 @@ describe Projects::MilestonesController do
         expect(flash[:notice]).to eq("#{milestone.title} promoted to <a href=\"#{group_milestone_path(project.group, milestone.iid)}\"><u>group milestone</u></a>.")
         expect(response).to redirect_to(project_milestones_path(project))
       end
+
+      it 'renders milestone name without parsing it as HTML' do
+        milestone.update!(name: 'CCC&lt;img src=x onerror=alert(document.domain)&gt;')
+
+        post :promote, namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid
+
+        expect(flash[:notice]).to eq("CCC promoted to <a href=\"#{group_milestone_path(project.group, milestone.iid)}\"><u>group milestone</u></a>.")
+      end
     end
 
     context 'promotion fails' do
author	Felipe Artur Cardozo <fcardozo@gitlab.com>	2018-07-27 00:16:34 +0300
committer	Felipe Artur Cardozo <fcardozo@gitlab.com>	2018-07-27 00:16:34 +0300
commit	45c94aba1b90dbe86c5583c8782cc3f624249fa1 (patch)
tree	94c1f356586495318cad13a4ef04ad52a7835e3c /spec/controllers
parent	9852304befb88cd112cb681ff5cca0c31cd2ddd4 (diff)
parent	dfe0981deceddb9c927fa503aed77d1a97040d60 (diff)