Add latest changes from gitlab-org/gitlab@master

1 files changed, 15 insertions, 3 deletions

diff --git a/spec/helpers/merge_requests_helper_spec.rb b/spec/helpers/merge_requests_helper_spec.rb
index 93df9d5f94b..b6c8653a563 100644
--- a/spec/helpers/merge_requests_helper_spec.rb
+++ b/spec/helpers/merge_requests_helper_spec.rb
@@ -183,10 +183,18 @@ RSpec.describe MergeRequestsHelper, feature_category: :code_review_workflow do
   end
 
   describe '#merge_request_source_branch' do
-    let_it_be(:project) { create(:project) }
-    let(:forked_project) { fork_project(project) }
-    let(:merge_request_forked) { create(:merge_request, source_project: forked_project, target_project: project) }
+    let(:malicious_branch_name) { 'name<script>test</script>' }
+    let(:project) { create(:project) }
     let(:merge_request) { create(:merge_request, source_project: project, target_project: project) }
+    let(:forked_project) { fork_project(project) }
+    let(:merge_request_forked) do
+      create(
+        :merge_request,
+        source_project: forked_project,
+        source_branch: malicious_branch_name,
+        target_project: project
+      )
+    end
 
     context 'when merge request is a fork' do
       subject { merge_request_source_branch(merge_request_forked) }
@@ -194,6 +202,10 @@ RSpec.describe MergeRequestsHelper, feature_category: :code_review_workflow do
       it 'does show the fork icon' do
         expect(subject).to match(/fork/)
       end
+
+      it 'escapes properly' do
+        expect(subject).to include(html_escape(malicious_branch_name))
+      end
     end
 
     context 'when merge request is not a fork' do