diff options
author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-29 19:11:01 +0300 |
---|---|---|
committer | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-29 19:11:01 +0300 |
commit | 5091cc4f778facdbf53dc84349a1e6d9bc684220 (patch) | |
tree | 99c6ced6f8c779bbaeefa92a89286df814f69109 /spec/features | |
parent | 5b0b73d922f5081e84697d439b30959161966727 (diff) | |
parent | 898462d721969bb9341cfd9dac7d65eb39b0f4e6 (diff) |
Merge branch 'security-2717-fix-issue-title-xss' into 'master'
[master] Escape issue title while template rendering to prevent XSS
See merge request gitlab/gitlabhq!2556
Diffstat (limited to 'spec/features')
-rw-r--r-- | spec/features/issues/gfm_autocomplete_spec.rb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/features/issues/gfm_autocomplete_spec.rb b/spec/features/issues/gfm_autocomplete_spec.rb index 08bf9bc7243..593dc6b6690 100644 --- a/spec/features/issues/gfm_autocomplete_spec.rb +++ b/spec/features/issues/gfm_autocomplete_spec.rb @@ -35,6 +35,21 @@ describe 'GFM autocomplete', :js do expect(page).to have_selector('.atwho-container') end + it 'opens autocomplete menu when field starts with text with item escaping HTML characters' do + alert_title = 'This will execute alert<img src=x onerror=alert(2)<img src=x onerror=alert(1)>' + create(:issue, project: project, title: alert_title) + + page.within '.timeline-content-form' do + find('#note-body').native.send_keys('#') + end + + expect(page).to have_selector('.atwho-container') + + page.within '.atwho-container #at-view-issues' do + expect(page.all('li').first.text).to include(alert_title) + end + end + it 'doesnt open autocomplete menu character is prefixed with text' do page.within '.timeline-content-form' do find('#note-body').native.send_keys('testing') |