diff options
| author | Timothy Andrew <tim@gitlab.com> | 2017-05-26 08:44:28 +0300 |
|---|---|---|
| committer | Timothy Andrew <mail@timothyandrew.net> | 2017-05-31 06:52:57 +0300 |
| commit | 6a9efdc502b26337477b8ec55bbe7240b349891c (patch) | |
| tree | 7f1227fe2ea6cf9e54c66c923003d42edb82b7e8 /spec | |
| parent | 7acf831645c3e6ec977a9cc3d02fdbbf7b8e485a (diff) | |
Merge branch 'cherry-pick-dc2ac993' into 'security-9-2'
Escapes html content before appending it to the DOM
See merge request !2107
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/javascripts/notes_spec.js | 39 |
1 files changed, 39 insertions, 0 deletions
diff --git a/spec/javascripts/notes_spec.js b/spec/javascripts/notes_spec.js index bcee0498d64..8fb2216d94b 100644 --- a/spec/javascripts/notes_spec.js +++ b/spec/javascripts/notes_spec.js @@ -442,6 +442,45 @@ import '~/notes'; }); }); + describe('update comment with script tags', () => { + const sampleComment = '<script></script>'; + const updatedComment = '<script></script>'; + const note = { + id: 1234, + html: `<li class="note note-row-1234 timeline-entry" id="note_1234"> + <div class="note-text">${sampleComment}</div> + </li>`, + note: sampleComment, + valid: true + }; + let $form; + let $notesContainer; + + beforeEach(() => { + this.notes = new Notes('', []); + window.gon.current_username = 'root'; + window.gon.current_user_fullname = 'Administrator'; + $form = $('form.js-main-target-form'); + $notesContainer = $('ul.main-notes-list'); + $form.find('textarea.js-note-text').html(sampleComment); + }); + + it('should not render a script tag', () => { + const deferred = $.Deferred(); + spyOn($, 'ajax').and.returnValue(deferred.promise()); + $('.js-comment-button').click(); + + deferred.resolve(note); + const $noteEl = $notesContainer.find(`#note_${note.id}`); + $noteEl.find('.js-note-edit').click(); + $noteEl.find('textarea.js-note-text').html(updatedComment); + $noteEl.find('.js-comment-save-button').click(); + + const $updatedNoteEl = $notesContainer.find(`#note_${note.id}`).find('.js-task-list-container'); + expect($updatedNoteEl.find('.note-text').text().trim()).toEqual(''); + }); + }); + describe('getFormData', () => { it('should return form metadata object from form reference', () => { this.notes = new Notes('', []); |