From 16fa5cf183d9f59a66c1e258ce36cd3f09c8d3fd Mon Sep 17 00:00:00 2001
From: GitLab Bot <gitlab-bot@gitlab.com>
Date: Wed, 30 Jun 2021 11:43:14 +0000
Subject: Add latest changes from gitlab-org/security/gitlab@14-0-stable-ee

---
 spec/models/user_spec.rb | 21 ++++++++++++++++++++-
 1 file changed, 20 insertions(+), 1 deletion(-)

(limited to 'spec/models/user_spec.rb')

diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index e5c86e69ffc..dc78ec2be21 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -2882,7 +2882,7 @@ RSpec.describe User do
   end
 
   describe '#sanitize_attrs' do
-    let(:user) { build(:user, name: 'test & user', skype: 'test&user') }
+    let(:user) { build(:user, name: 'test <& user', skype: 'test&user') }
 
     it 'encodes HTML entities in the Skype attribute' do
       expect { user.sanitize_attrs }.to change { user.skype }.to('test&amp;user')
@@ -2891,6 +2891,25 @@ RSpec.describe User do
     it 'does not encode HTML entities in the name attribute' do
       expect { user.sanitize_attrs }.not_to change { user.name }
     end
+
+    it 'sanitizes attr from html tags' do
+      user = create(:user, name: '<a href="//example.com">Test<a>', twitter: '<a href="//evil.com">https://twitter.com<a>')
+
+      expect(user.name).to eq('Test')
+      expect(user.twitter).to eq('https://twitter.com')
+    end
+
+    it 'sanitizes attr from js scripts' do
+      user = create(:user, name: '<script>alert("Test")</script>')
+
+      expect(user.name).to eq("alert(\"Test\")")
+    end
+
+    it 'sanitizes attr from iframe scripts' do
+      user = create(:user, name: 'User"><iframe src=javascript:alert()><iframe>')
+
+      expect(user.name).to eq('User">')
+    end
   end
 
   describe '#starred?' do
-- 
cgit v1.2.3