Add latest changes from gitlab-org/gitlab@14-0-stable-eev14.0.0-rc42

author: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-16 21:25:58 +0300
committer: GitLab Bot <gitlab-bot@gitlab.com> 2021-06-16 21:25:58 +0300
commit: a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4 (patch)
tree: fb69158581673816a8cd895f9d352dcb3c678b1e /spec/lib/gitlab/emoji_spec.rb
parent: d16b2e8639e99961de6ddc93909f3bb5c1445ba1 (diff)
1 files changed, 10 insertions, 1 deletions
diff --git a/spec/lib/gitlab/emoji_spec.rb b/spec/lib/gitlab/emoji_spec.rb
index ada37f25d1e..8f855489c12 100644
--- a/spec/lib/gitlab/emoji_spec.rb
+++ b/spec/lib/gitlab/emoji_spec.rb
@@ -91,7 +91,16 @@ RSpec.describe Gitlab::Emoji do
     it 'returns emoji image tag' do
       emoji_image = described_class.emoji_image_tag('emoji_one', 'src_url')
 
-      expect(emoji_image).to eq( "<img class='emoji' title=':emoji_one:' alt=':emoji_one:' src='src_url' height='20' width='20' align='absmiddle' />")
+      expect(emoji_image).to eq("<img class=\"emoji\" src=\"src_url\" title=\":emoji_one:\" alt=\":emoji_one:\" height=\"20\" width=\"20\" align=\"absmiddle\" />")
+    end
+
+    it 'escapes emoji image attrs to prevent XSS' do
+      xss_payload = "<script>alert(1)</script>"
+      escaped_xss_payload = html_escape(xss_payload)
+
+      emoji_image = described_class.emoji_image_tag(xss_payload, 'http://aaa#' + xss_payload)
+
+      expect(emoji_image).to eq("<img class=\"emoji\" src=\"http://aaa##{escaped_xss_payload}\" title=\":#{escaped_xss_payload}:\" alt=\":#{escaped_xss_payload}:\" height=\"20\" width=\"20\" align=\"absmiddle\" />")
     end
   end
author	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-16 21:25:58 +0300
committer	GitLab Bot <gitlab-bot@gitlab.com>	2021-06-16 21:25:58 +0300
commit	a5f4bba440d7f9ea47046a0a561d49adf0a1e6d4 (patch)
tree	fb69158581673816a8cd895f9d352dcb3c678b1e /spec/lib/gitlab/emoji_spec.rb
parent	d16b2e8639e99961de6ddc93909f3bb5c1445ba1 (diff)