Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee

1 files changed, 26 insertions, 22 deletions

diff --git a/spec/frontend/behaviors/copy_as_gfm_spec.js b/spec/frontend/behaviors/copy_as_gfm_spec.js
index acff990e84a..557b609f5f9 100644
--- a/spec/frontend/behaviors/copy_as_gfm_spec.js
+++ b/spec/frontend/behaviors/copy_as_gfm_spec.js
@@ -1,50 +1,54 @@
 import initCopyAsGFM, { CopyAsGFM } from '~/behaviors/markdown/copy_as_gfm';
-import * as commonUtils from '~/lib/utils/common_utils';
 
 describe('CopyAsGFM', () => {
   describe('CopyAsGFM.pasteGFM', () => {
-    function callPasteGFM() {
+    let target;
+
+    beforeEach(() => {
+      target = document.createElement('input');
+      target.value = 'This is code: ';
+    });
+
+    // When GFM code is copied, we put the regular plain text
+    // on the clipboard as `text/plain`, and the GFM as `text/x-gfm`.
+    // This emulates the behavior of `getData` with that data.
+    function callPasteGFM(data = { 'text/plain': 'code', 'text/x-gfm': '`code`' }) {
       const e = {
         originalEvent: {
           clipboardData: {
             getData(mimeType) {
-              // When GFM code is copied, we put the regular plain text
-              // on the clipboard as `text/plain`, and the GFM as `text/x-gfm`.
-              // This emulates the behavior of `getData` with that data.
-              if (mimeType === 'text/plain') {
-                return 'code';
-              }
-              if (mimeType === 'text/x-gfm') {
-                return '`code`';
-              }
-              return null;
+              return data[mimeType] || null;
             },
           },
         },
         preventDefault() {},
+        target,
       };
 
       CopyAsGFM.pasteGFM(e);
     }
 
     it('wraps pasted code when not already in code tags', () => {
-      jest.spyOn(commonUtils, 'insertText').mockImplementation((el, textFunc) => {
-        const insertedText = textFunc('This is code: ', '');
+      callPasteGFM();
 
-        expect(insertedText).toEqual('`code`');
-      });
+      expect(target.value).toBe('This is code: `code`');
+    });
+
+    it('does not wrap pasted code when already in code tags', () => {
+      target.value = 'This is code: `';
 
       callPasteGFM();
+
+      expect(target.value).toBe('This is code: `code');
     });
 
-    it('does not wrap pasted code when already in code tags', () => {
-      jest.spyOn(commonUtils, 'insertText').mockImplementation((el, textFunc) => {
-        const insertedText = textFunc('This is code: `', '`');
+    it('does not allow xss in x-gfm-html', () => {
+      const testEl = document.createElement('div');
+      jest.spyOn(document, 'createElement').mockReturnValueOnce(testEl);
 
-        expect(insertedText).toEqual('code');
-      });
+      callPasteGFM({ 'text/plain': 'code', 'text/x-gfm-html': 'code<img/src/onerror=alert(1)>' });
 
-      callPasteGFM();
+      expect(testEl.innerHTML).toBe('code<img src="">');
     });
   });