1 files changed, 69 insertions, 27 deletions

diff --git a/spec/features/runners_spec.rb b/spec/features/runners_spec.rb
index acfb7c2602a..b61a769185e 100644
--- a/spec/features/runners_spec.rb
+++ b/spec/features/runners_spec.rb
@@ -160,50 +160,92 @@ RSpec.describe 'Runners' do
       end
     end
 
-    context 'when application settings have shared_runners_text' do
-      let(:shared_runners_text) { 'custom **shared** runners description' }
-      let(:shared_runners_html) { 'custom shared runners description' }
+    context 'shared runner text' do
+      context 'when application settings have no shared_runners_text' do
+        it 'user sees default shared runners description' do
+          visit project_runners_path(project)
 
-      before do
-        stub_application_setting(shared_runners_text: shared_runners_text)
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_content('The same shared runner executes code from multiple projects')
+          end
+        end
       end
 
-      it 'user sees shared runners description' do
-        visit project_runners_path(project)
+      context 'when application settings have shared_runners_text' do
+        let(:shared_runners_text) { 'custom **shared** runners description' }
+        let(:shared_runners_html) { 'custom shared runners description' }
+
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
+
+        it 'user sees shared runners description' do
+          visit project_runners_path(project)
 
-        expect(page.find('.shared-runners-description')).to have_content(shared_runners_html)
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).not_to have_content('The same shared runner executes code from multiple projects')
+            expect(page).to have_content(shared_runners_html)
+          end
+        end
       end
-    end
-  end
 
-  context 'when a project has disabled shared_runners' do
-    let(:project) { create(:project, shared_runners_enabled: false) }
+      context 'when application settings have an unsafe link in shared_runners_text' do
+        let(:shared_runners_text) { '<a href="javascript:alert(\'xss\')">link</a>' }
 
-    context 'when feature flag: vueify_shared_runners_toggle is disabled' do
-      before do
-        stub_feature_flags(vueify_shared_runners_toggle: false)
-        project.add_maintainer(user)
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
+
+        it 'user sees no link' do
+          visit project_runners_path(project)
+
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_content('link')
+            expect(page).not_to have_link('link')
+          end
+        end
       end
 
-      it 'user enables shared runners' do
-        visit project_runners_path(project)
+      context 'when application settings have an unsafe image in shared_runners_text' do
+        let(:shared_runners_text) { '<img src="404.png" onerror="alert(\'xss\')"/>' }
+
+        before do
+          stub_application_setting(shared_runners_text: shared_runners_text)
+        end
 
-        click_on 'Enable shared runners'
+        it 'user sees image safely' do
+          visit project_runners_path(project)
 
-        expect(page.find('.shared-runners-description')).to have_content('Disable shared runners')
-        expect(page).not_to have_selector('#toggle-shared-runners-form')
+          page.within("[data-testid='shared-runners-description']") do
+            expect(page).to have_css('img')
+            expect(page).not_to have_css('img[onerror]')
+          end
+        end
       end
     end
+  end
+
+  context 'enable shared runners in project settings', :js do
+    before do
+      project.add_maintainer(user)
+
+      visit project_runners_path(project)
+    end
 
-    context 'when feature flag: vueify_shared_runners_toggle is enabled' do
-      before do
-        project.add_maintainer(user)
+    context 'when a project has enabled shared_runners' do
+      let(:project) { create(:project, shared_runners_enabled: true) }
+
+      it 'shared runners toggle is on' do
+        expect(page).to have_selector('[data-testid="toggle-shared-runners"]')
+        expect(page).to have_selector('[data-testid="toggle-shared-runners"] .is-checked')
       end
+    end
 
-      it 'user enables shared runners' do
-        visit project_runners_path(project)
+    context 'when a project has disabled shared_runners' do
+      let(:project) { create(:project, shared_runners_enabled: false) }
 
-        expect(page).to have_selector('#toggle-shared-runners-form')
+      it 'shared runners toggle is off' do
+        expect(page).not_to have_selector('[data-testid="toggle-shared-runners"] .is-checked')
       end
     end
   end