diff options
author | Felipe Artur Cardozo <fcardozo@gitlab.com> | 2018-07-27 00:16:09 +0300 |
---|---|---|
committer | Felipe Artur Cardozo <fcardozo@gitlab.com> | 2018-07-27 00:16:09 +0300 |
commit | dae85363e363cc92e335808b2bd4e0608d92d760 (patch) | |
tree | c6bdb651c734ed1dcb7a347651cf1e596302a8eb /spec/features | |
parent | bc1b4d9fef7e55f9afffcfaa4f784b984ca97f31 (diff) | |
parent | 0e7aa236c8c8143770b6602fa99cb4197c65fe70 (diff) |
Merge branch 'security-2690-fix-tooltip' into 'master'
[master] Escapes job name used in tooltips
See merge request gitlab/gitlabhq!2427
Diffstat (limited to 'spec/features')
-rw-r--r-- | spec/features/projects/jobs_spec.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/features/projects/jobs_spec.rb b/spec/features/projects/jobs_spec.rb index 35b1c46ecf6..83293c0ca7d 100644 --- a/spec/features/projects/jobs_spec.rb +++ b/spec/features/projects/jobs_spec.rb @@ -135,6 +135,20 @@ describe 'Jobs', :clean_gitlab_redis_shared_state do end end + context 'sidebar' do + let(:job) { create(:ci_build, :success, :trace_live, pipeline: pipeline, name: '<img src=x onerror=alert(document.domain)>') } + + before do + visit project_job_path(project, job) + end + + it 'renders escaped tooltip name' do + page.within('aside.right-sidebar') do + expect(find('.active.build-job a')['data-title']).to eq('<img src="x"> - passed') + end + end + end + context 'when job is not running', :js do let(:job) { create(:ci_build, :success, :trace_artifact, pipeline: pipeline) } |