diff options
author | Jen-Shin Lin <jen-shin@gitlab.com> | 2017-10-17 13:12:24 +0300 |
---|---|---|
committer | Stan Hu <stanhu@gmail.com> | 2017-10-18 01:58:58 +0300 |
commit | bd46c8abfd5ee964c47eff0ace021e45cbbe6687 (patch) | |
tree | e22dc885b8d70829cf3893cc65c49f6351bc2d34 /spec/lib/banzai | |
parent | 9978ef9884023df12b3fbc5758cf93d166100c80 (diff) |
Merge branch 'security-10-1' into '10-1-stable'
Security fixes for 10.1 RC
See merge request gitlab/gitlabhq!2209
Diffstat (limited to 'spec/lib/banzai')
-rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 5f41e28fece..17a620ef603 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -217,6 +217,11 @@ describe Banzai::Filter::SanitizationFilter do output: '<img>' }, + 'protocol-based JS injection: Unicode' => { + input: %Q(<a href="\u0001java\u0003script:alert('XSS')">foo</a>), + output: '<a>foo</a>' + }, + 'protocol-based JS injection: spaces and entities' => { input: '<a href="  javascript:alert(\'XSS\');">foo</a>', output: '<a href="">foo</a>' |