diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:33:47 +0300 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-08-30 00:33:47 +0300 |
commit | 61c9f078022304dc9038797a4bab043702338e1b (patch) | |
tree | db8edc6a7693e453548eb7c32b3b97a64f3613ad /spec/support | |
parent | df556bf2f6a49790803386149d817252f6363b7a (diff) | |
parent | a98b89e9bcb56b9adc3a4b0bef3e9844bf93bfd0 (diff) |
Merge branch 'security-fix-markdown-xss' into 'master'
Re-escape the whole HTML content when finding HTML references
See merge request gitlab/gitlabhq!3340
Diffstat (limited to 'spec/support')
-rw-r--r-- | spec/support/shared_examples/lib/banzai/filters/reference_filter_shared_examples.rb | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/spec/support/shared_examples/lib/banzai/filters/reference_filter_shared_examples.rb b/spec/support/shared_examples/lib/banzai/filters/reference_filter_shared_examples.rb new file mode 100644 index 00000000000..b1ecd4fd007 --- /dev/null +++ b/spec/support/shared_examples/lib/banzai/filters/reference_filter_shared_examples.rb @@ -0,0 +1,23 @@ +# frozen_string_literal: true + +RSpec.shared_examples 'HTML text with references' do + let(:markdown_prepend) { "<img src=\"\" onerror=alert(`bug`)>" } + + it 'preserves escaped HTML text and adds valid references' do + reference = resource.to_reference(format: :name) + + doc = reference_filter("#{markdown_prepend}#{reference}") + + expect(doc.to_html).to start_with(markdown_prepend) + expect(doc.text).to eq %(<img src="" onerror=alert(`bug`)>#{resource_text}) + end + + it 'preserves escaped HTML text if there are no valid references' do + reference = "#{resource.class.reference_prefix}invalid" + text = "#{markdown_prepend}#{reference}" + + doc = reference_filter(text) + + expect(doc.to_html).to eq text + end +end |