From b64b61bfe72c54fe4a7fdce34b2f1591e3822e5e Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Tue, 1 Nov 2022 11:52:52 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@15-5-stable-ee

---
 .../projects/artifacts/user_browses_artifacts_spec.rb         | 11 +++++------
 spec/features/projects/blobs/blob_show_spec.rb                |  8 +++-----
 2 files changed, 8 insertions(+), 11 deletions(-)

(limited to 'spec/features')

diff --git a/spec/features/projects/artifacts/user_browses_artifacts_spec.rb b/spec/features/projects/artifacts/user_browses_artifacts_spec.rb
index 2d09f5a4263..c0d710fe186 100644
--- a/spec/features/projects/artifacts/user_browses_artifacts_spec.rb
+++ b/spec/features/projects/artifacts/user_browses_artifacts_spec.rb
@@ -81,12 +81,11 @@ RSpec.describe "User browses artifacts" do
       end
 
       it "shows correct content" do
-        link = first(".tree-item-file-external-link")
-
-        expect(link[:target]).to eq("_blank")
-        expect(link[:rel]).to include("noopener").and include("noreferrer")
-        expect(page).to have_link("doc_sample.txt", href: file_project_job_artifacts_path(project, job, path: txt_entry.blob.path))
-                   .and have_selector(".js-artifact-tree-external-icon")
+        expect(page)
+          .to have_link(
+            "doc_sample.txt",
+            href: external_file_project_job_artifacts_path(project, job, path: txt_entry.blob.path)
+          ).and have_selector(".js-artifact-tree-external-icon")
 
         page.within(".tree-table") do
           expect(page).to have_content("..").and have_content("another-subdirectory")
diff --git a/spec/features/projects/blobs/blob_show_spec.rb b/spec/features/projects/blobs/blob_show_spec.rb
index 93e5be18229..d679d1eeeb9 100644
--- a/spec/features/projects/blobs/blob_show_spec.rb
+++ b/spec/features/projects/blobs/blob_show_spec.rb
@@ -1001,11 +1001,9 @@ RSpec.describe 'File blob', :js do
         wait_for_requests
       end
 
-      it 'removes `style`, `class`, and `data-*`` attributes from HTML' do
-        expect(page).to have_css('h1', text: 'Swagger API documentation')
-        expect(page).not_to have_css('.foo-bar')
-        expect(page).not_to have_css('[style="background-color: red;"]')
-        expect(page).not_to have_css('[data-foo-bar="baz"]')
+      it 'renders sandboxed iframe' do
+        expected = %(<iframe src="/-/sandbox/swagger" sandbox="allow-scripts" frameborder="0" width="100%" height="1000">)
+        expect(page.html).to include(expected)
       end
     end
   end
-- 
cgit v1.2.3