Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'

Escape HTML nodes in builds commands in ci linter This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view. Closes #22541 See merge request !2001 Signed-off-by: Rémy Coutable <remy@rymai.me>
author: Robert Speicher <robert@gitlab.com> 2016-09-28 18:02:12 +0300
committer: Rémy Coutable <remy@rymai.me> 2016-09-28 18:50:04 +0300
commit: 23c297e781da2f8584fd47aecc2544e1a01b886f (patch)
tree: 1d2f37ab13234704351f814175ce87116863b752 /spec
parent: 4f1a1bbc2b0501dd7ba227597e115517e3a1fb3f (diff)
1 files changed, 35 insertions, 0 deletions
diff --git a/spec/views/ci/lints/show.html.haml_spec.rb b/spec/views/ci/lints/show.html.haml_spec.rb
new file mode 100644
index 00000000000..3a65a86cd88
--- /dev/null
+++ b/spec/views/ci/lints/show.html.haml_spec.rb
@@ -0,0 +1,35 @@
+require 'spec_helper'
+
+describe 'ci/lints/show' do
+  include Devise::TestHelpers
+
+  before do
+    assign(:status, true)
+    assign(:stages, %w[test])
+    assign(:builds, builds)
+  end
+
+  context 'when builds attrbiutes contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: '<h1>rspec</h1>' } ]
+    end
+
+    it 'does not render HTML elements' do
+      render
+
+      expect(rendered).not_to have_css('h1', text: 'rspec')
+    end
+  end
+
+  context 'when builds attributes do not contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: 'rspec' } ]
+    end
+
+    it 'shows configuration in the table' do
+      render
+
+      expect(rendered).to have_css('td pre', text: 'rspec')
+    end
+  end
+end
author	Robert Speicher <robert@gitlab.com>	2016-09-28 18:02:12 +0300
committer	Rémy Coutable <remy@rymai.me>	2016-09-28 18:50:04 +0300
commit	23c297e781da2f8584fd47aecc2544e1a01b886f (patch)
tree	1d2f37ab13234704351f814175ce87116863b752 /spec
parent	4f1a1bbc2b0501dd7ba227597e115517e3a1fb3f (diff)