Merge branch 'security-fix-markdown-xss' into 'master'

Re-escape the whole HTML content when finding HTML references See merge request gitlab/gitlabhq!3340
author: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-30 00:33:47 +0300
committer: GitLab Release Tools Bot <robert+release-tools@gitlab.com> 2019-08-30 00:33:47 +0300
commit: 61c9f078022304dc9038797a4bab043702338e1b (patch)
tree: db8edc6a7693e453548eb7c32b3b97a64f3613ad /spec/lib
parent: df556bf2f6a49790803386149d817252f6363b7a (diff)
parent: a98b89e9bcb56b9adc3a4b0bef3e9844bf93bfd0 (diff)
2 files changed, 13 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb
index 213a5459118..35e99d2586e 100644
--- a/spec/lib/banzai/filter/label_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb
@@ -10,6 +10,11 @@ describe Banzai::Filter::LabelReferenceFilter do
   let(:label)     { create(:label, project: project) }
   let(:reference) { label.to_reference }
 
+  it_behaves_like 'HTML text with references' do
+    let(:resource) { label }
+    let(:resource_text) { resource.title }
+  end
+
   it 'requires project context' do
     expect { described_class.call('') }.to raise_error(ArgumentError, /:project/)
   end
diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
index 3f021adc756..ab0c2c383c5 100644
--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@@ -329,6 +329,10 @@ describe Banzai::Filter::MilestoneReferenceFilter do
     it_behaves_like 'cross-project / same-namespace complete reference'
     it_behaves_like 'cross project shorthand reference'
     it_behaves_like 'references with HTML entities'
+    it_behaves_like 'HTML text with references' do
+      let(:resource) { milestone }
+      let(:resource_text) { "#{resource.class.reference_prefix}#{resource.title}" }
+    end
   end
 
   shared_context 'group milestones' do
@@ -340,6 +344,10 @@ describe Banzai::Filter::MilestoneReferenceFilter do
     it_behaves_like 'String-based multi-word references in quotes'
     it_behaves_like 'referencing a milestone in a link href'
     it_behaves_like 'references with HTML entities'
+    it_behaves_like 'HTML text with references' do
+      let(:resource) { milestone }
+      let(:resource_text) { "#{resource.class.reference_prefix}#{resource.title}" }
+    end
 
     it 'does not support references by IID' do
       doc = reference_filter("See #{Milestone.reference_prefix}#{milestone.iid}")
author	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-30 00:33:47 +0300
committer	GitLab Release Tools Bot <robert+release-tools@gitlab.com>	2019-08-30 00:33:47 +0300
commit	61c9f078022304dc9038797a4bab043702338e1b (patch)
tree	db8edc6a7693e453548eb7c32b3b97a64f3613ad /spec/lib
parent	df556bf2f6a49790803386149d817252f6363b7a (diff)
parent	a98b89e9bcb56b9adc3a4b0bef3e9844bf93bfd0 (diff)