Properly sanitize JSON data to fix XSS on Issue details page.

author: Fatih Acet <acetfatih@gmail.com> 2018-08-23 23:53:35 +0300
committer: André Luís <aluis@gitlab.com> 2018-09-11 15:30:36 +0300
commit: 6d360c210d3d822fc266eecc04753481ae4bda70 (patch)
tree: 2884f5d800cd8f26020bcf0913aa78c11bc3a61d /spec/javascripts/issue_show
parent: c56f2b96159afaf6f1e0831d0e7a756a40568cab (diff)
1 files changed, 19 insertions, 0 deletions
diff --git a/spec/javascripts/issue_show/index_spec.js b/spec/javascripts/issue_show/index_spec.js
new file mode 100644
index 00000000000..fa0b426c06c
--- /dev/null
+++ b/spec/javascripts/issue_show/index_spec.js
@@ -0,0 +1,19 @@
+import initIssueableApp from '~/issue_show';
+
+describe('Issue show index', () => {
+  describe('initIssueableApp', () => {
+    it('should initialize app with no potential XSS attack', () => {
+      const d = document.createElement('div');
+      d.id = 'js-issuable-app-initial-data';
+      d.innerHTML = JSON.stringify({
+        initialDescriptionHtml: '&lt;img src=x onerror=alert(1)&gt;',
+      });
+      document.body.appendChild(d);
+
+      const alertSpy = spyOn(window, 'alert');
+      initIssueableApp();
+
+      expect(alertSpy).not.toHaveBeenCalled();
+    });
+  });
+});
author	Fatih Acet <acetfatih@gmail.com>	2018-08-23 23:53:35 +0300
committer	André Luís <aluis@gitlab.com>	2018-09-11 15:30:36 +0300
commit	6d360c210d3d822fc266eecc04753481ae4bda70 (patch)
tree	2884f5d800cd8f26020bcf0913aa78c11bc3a61d /spec/javascripts/issue_show
parent	c56f2b96159afaf6f1e0831d0e7a756a40568cab (diff)