diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-27 13:19:31 +0300 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2021-10-27 13:19:47 +0300 |
commit | 25e94f0fc4c4666dbbacfcbdd6bce0380b8fe1d0 (patch) | |
tree | cb756f7da033b1827b9677dec8ffe20757a80f20 /spec/frontend/lib/dompurify_spec.js | |
parent | 1ef777bffd5e64ea5764920a30998a4d7c5241e3 (diff) |
Add latest changes from gitlab-org/security/gitlab@14-4-stable-ee
Diffstat (limited to 'spec/frontend/lib/dompurify_spec.js')
-rw-r--r-- | spec/frontend/lib/dompurify_spec.js | 6 |
1 files changed, 5 insertions, 1 deletions
diff --git a/spec/frontend/lib/dompurify_spec.js b/spec/frontend/lib/dompurify_spec.js index 324441fa2c9..47a94a4dcde 100644 --- a/spec/frontend/lib/dompurify_spec.js +++ b/spec/frontend/lib/dompurify_spec.js @@ -22,12 +22,16 @@ const safeUrls = { const unsafeUrls = [ '/an/evil/url', '../../../evil/url', - 'https://evil.url/assets/icons-123a.svg', + 'https://evil.url/assets/icons-123a.svg#test', 'https://evil.url/assets/icons-456b.svg', `https://evil.url/${rootGon.sprite_icons}`, `https://evil.url/${rootGon.sprite_file_icons}`, `https://evil.url/${absoluteGon.sprite_icons}`, `https://evil.url/${absoluteGon.sprite_file_icons}`, + `${rootGon.sprite_icons}/../evil/path`, + `${rootGon.sprite_file_icons}/../../evil/path`, + `${absoluteGon.sprite_icons}/../evil/path`, + `${absoluteGon.sprite_file_icons}/../../https://evil.url`, ]; const forbiddenDataAttrs = ['data-remote', 'data-url', 'data-type', 'data-method']; |