diff options
Diffstat (limited to 'spec/services/protected_tags/update_service_spec.rb')
-rw-r--r-- | spec/services/protected_tags/update_service_spec.rb | 39 |
1 files changed, 36 insertions, 3 deletions
diff --git a/spec/services/protected_tags/update_service_spec.rb b/spec/services/protected_tags/update_service_spec.rb index ed151ca2347..22005bb9b89 100644 --- a/spec/services/protected_tags/update_service_spec.rb +++ b/spec/services/protected_tags/update_service_spec.rb @@ -6,17 +6,50 @@ RSpec.describe ProtectedTags::UpdateService do let(:protected_tag) { create(:protected_tag) } let(:project) { protected_tag.project } let(:user) { project.owner } - let(:params) { { name: 'new protected tag name' } } + let(:params) { { name: new_name } } describe '#execute' do + let(:new_name) { 'new protected tag name' } + let(:result) { service.execute(protected_tag) } + subject(:service) { described_class.new(project, user, params) } it 'updates a protected tag' do - result = service.execute(protected_tag) - expect(result.reload.name).to eq(params[:name]) end + context 'when name has escaped HTML' do + let(:new_name) { 'tag->test' } + + it 'updates protected tag name with unescaped HTML' do + expect(result.reload.name).to eq('tag->test') + end + + context 'and name contains HTML tags' do + let(:new_name) { '<b>tag</b>' } + + it 'updates protected tag name with sanitized name' do + expect(result.reload.name).to eq('tag') + end + + context 'and contains unsafe HTML' do + let(:new_name) { '<script>alert('foo');</script>' } + + it 'does not update the protected tag' do + expect(result.reload.name).to eq(protected_tag.name) + end + end + end + end + + context 'when name contains unescaped HTML tags' do + let(:new_name) { '<b>tag</b>' } + + it 'updates protected tag name with sanitized name' do + expect(result.reload.name).to eq('tag') + end + end + context 'without admin_project permissions' do let(:user) { create(:user) } |