From 98106ec54e439455f545f3df15332a28b9b0c969 Mon Sep 17 00:00:00 2001 From: Douwe Maan Date: Tue, 3 Apr 2018 09:57:31 +0000 Subject: Merge branch '42028-xss-diffs-10-6' into 'security-10-6' Port of "Fix XSS on commit diff view" for 10-6 See merge request gitlab/gitlabhq!2364 --- spec/helpers/diff_helper_spec.rb | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) (limited to 'spec/helpers') diff --git a/spec/helpers/diff_helper_spec.rb b/spec/helpers/diff_helper_spec.rb index 15cbe36ae76..53c010fa0db 100644 --- a/spec/helpers/diff_helper_spec.rb +++ b/spec/helpers/diff_helper_spec.rb @@ -135,11 +135,37 @@ describe DiffHelper do it "returns strings with marked inline diffs" do marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line) - expect(marked_old_line).to eq(%q{abc 'def'}) + expect(marked_old_line).to eq(%q{abc 'def'}) expect(marked_old_line).to be_html_safe - expect(marked_new_line).to eq(%q{abc "def"}) + expect(marked_new_line).to eq(%q{abc "def"}) expect(marked_new_line).to be_html_safe end + + context 'when given HTML' do + it 'sanitizes it' do + old_line = %{test.txt} + new_line = %{} + + marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line) + + expect(marked_old_line).to eq(%q{test.txt}) + expect(marked_old_line).to be_html_safe + expect(marked_new_line).to eq(%q{<img src=x onerror=alert(document.domain)>}) + expect(marked_new_line).to be_html_safe + end + + it 'sanitizes the entire line, not just the changes' do + old_line = %{} + new_line = %{} + + marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line) + + expect(marked_old_line).to eq(%q{<img src=x onerror=alert(document.domain)>}) + expect(marked_old_line).to be_html_safe + expect(marked_new_line).to eq(%q{<img src=y onerror=alert(document.domain)>}) + expect(marked_new_line).to be_html_safe + end + end end describe '#parallel_diff_discussions' do -- cgit v1.2.3