diff options
author | John Jarvis <jarv@gitlab.com> | 2019-01-02 12:34:13 +0300 |
---|---|---|
committer | John Jarvis <jarv@gitlab.com> | 2019-01-02 12:34:13 +0300 |
commit | 90e1f10f074607e1ae061e7bc3594a9dfe7873f8 (patch) | |
tree | 4843899683beba31bf6549f1070a61aff1375c27 /spec/lib | |
parent | a74700178db77aaba47f3773abe2b7e3c9cf6732 (diff) | |
parent | a1d69ab6b86b93e600bdd90190f0a7d574992e91 (diff) |
Merge branch 'security-label-xss' into 'master'
[master] Escape html entities when no label found
See merge request gitlab/gitlabhq!2706
Diffstat (limited to 'spec/lib')
-rw-r--r-- | spec/lib/banzai/filter/label_reference_filter_spec.rb | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb index 00257ed7904..9cfdb9e53a2 100644 --- a/spec/lib/banzai/filter/label_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb @@ -236,6 +236,24 @@ describe Banzai::Filter::LabelReferenceFilter do end end + context 'References with html entities' do + let!(:label) { create(:label, name: '<html>', project: project) } + + it 'links to a valid reference' do + doc = reference_filter('See ~"<html>"') + + expect(doc.css('a').first.attr('href')).to eq urls + .project_issues_url(project, label_name: label.name) + expect(doc.text).to eq 'See <html>' + end + + it 'ignores invalid label names and escapes entities' do + act = %(Label #{Label.reference_prefix}"<non valid>") + + expect(reference_filter(act).to_html).to eq act + end + end + describe 'consecutive references' do let(:bug) { create(:label, name: 'bug', project: project) } let(:feature_proposal) { create(:label, name: 'feature proposal', project: project) } |