Merge branch 'security-2690-fix-tooltip' into 'master'

[master] Escapes job name used in tooltips See merge request gitlab/gitlabhq!2427
author: Felipe Artur Cardozo <fcardozo@gitlab.com> 2018-07-27 00:16:09 +0300
committer: Felipe Artur Cardozo <fcardozo@gitlab.com> 2018-07-27 00:16:09 +0300
commit: dae85363e363cc92e335808b2bd4e0608d92d760 (patch)
tree: c6bdb651c734ed1dcb7a347651cf1e596302a8eb /spec/features
parent: bc1b4d9fef7e55f9afffcfaa4f784b984ca97f31 (diff)
parent: 0e7aa236c8c8143770b6602fa99cb4197c65fe70 (diff)
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/features/projects/jobs_spec.rb b/spec/features/projects/jobs_spec.rb
index 35b1c46ecf6..83293c0ca7d 100644
--- a/spec/features/projects/jobs_spec.rb
+++ b/spec/features/projects/jobs_spec.rb
@@ -135,6 +135,20 @@ describe 'Jobs', :clean_gitlab_redis_shared_state do
       end
     end
 
+    context 'sidebar' do
+      let(:job) { create(:ci_build, :success, :trace_live, pipeline: pipeline, name: '<img src=x onerror=alert(document.domain)>') }
+
+      before do
+        visit project_job_path(project, job)
+      end
+
+      it 'renders escaped tooltip name' do
+        page.within('aside.right-sidebar') do
+          expect(find('.active.build-job a')['data-title']).to eq('<img src="x"> - passed')
+        end
+      end
+    end
+
     context 'when job is not running', :js do
       let(:job) { create(:ci_build, :success, :trace_artifact, pipeline: pipeline) }
author	Felipe Artur Cardozo <fcardozo@gitlab.com>	2018-07-27 00:16:09 +0300
committer	Felipe Artur Cardozo <fcardozo@gitlab.com>	2018-07-27 00:16:09 +0300
commit	dae85363e363cc92e335808b2bd4e0608d92d760 (patch)
tree	c6bdb651c734ed1dcb7a347651cf1e596302a8eb /spec/features
parent	bc1b4d9fef7e55f9afffcfaa4f784b984ca97f31 (diff)
parent	0e7aa236c8c8143770b6602fa99cb4197c65fe70 (diff)