diff options
author | Fatih Acet <acetfatih@gmail.com> | 2018-08-23 23:53:35 +0300 |
---|---|---|
committer | André Luís <aluis@gitlab.com> | 2018-09-11 15:30:36 +0300 |
commit | 6d360c210d3d822fc266eecc04753481ae4bda70 (patch) | |
tree | 2884f5d800cd8f26020bcf0913aa78c11bc3a61d /spec/javascripts/issue_show | |
parent | c56f2b96159afaf6f1e0831d0e7a756a40568cab (diff) |
Properly sanitize JSON data to fix XSS on Issue details page.
Diffstat (limited to 'spec/javascripts/issue_show')
-rw-r--r-- | spec/javascripts/issue_show/index_spec.js | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/spec/javascripts/issue_show/index_spec.js b/spec/javascripts/issue_show/index_spec.js new file mode 100644 index 00000000000..fa0b426c06c --- /dev/null +++ b/spec/javascripts/issue_show/index_spec.js @@ -0,0 +1,19 @@ +import initIssueableApp from '~/issue_show'; + +describe('Issue show index', () => { + describe('initIssueableApp', () => { + it('should initialize app with no potential XSS attack', () => { + const d = document.createElement('div'); + d.id = 'js-issuable-app-initial-data'; + d.innerHTML = JSON.stringify({ + initialDescriptionHtml: '<img src=x onerror=alert(1)>', + }); + document.body.appendChild(d); + + const alertSpy = spyOn(window, 'alert'); + initIssueableApp(); + + expect(alertSpy).not.toHaveBeenCalled(); + }); + }); +}); |