diff options
| author | Nick Thomas <nick@gitlab.com> | 2018-04-11 00:55:02 +0100 |
|---|---|---|
| committer | Nick Thomas <nick@gitlab.com> | 2018-04-11 00:55:02 +0100 |
| commit | 3f73bdd837f9803b75eca484a0a0615db6c58c80 (patch) | |
| tree | 0bd2c99d9198bfa22e7a29f375131f940033da7b /spec/helpers/diff_helper_spec.rb | |
| parent | b594ab949d1a2ceb9d949ff2641679fbdf273452 (diff) | |
| parent | 37a5632483b67ddcfa4c535cc911319b25f01fb5 (diff) | |
| download | gitlab-ce-xterm-npm.tar.gz | |
Merge branch 'master' into xterm-npmxterm-npm
Diffstat (limited to 'spec/helpers/diff_helper_spec.rb')
| -rw-r--r-- | spec/helpers/diff_helper_spec.rb | 30 |
1 files changed, 28 insertions, 2 deletions
diff --git a/spec/helpers/diff_helper_spec.rb b/spec/helpers/diff_helper_spec.rb index 15cbe36ae76..53c010fa0db 100644 --- a/spec/helpers/diff_helper_spec.rb +++ b/spec/helpers/diff_helper_spec.rb @@ -135,11 +135,37 @@ describe DiffHelper do it "returns strings with marked inline diffs" do marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line) - expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">'def'</span>}) + expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">'def'</span>}) expect(marked_old_line).to be_html_safe - expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">"def"</span>}) + expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">"def"</span>}) expect(marked_new_line).to be_html_safe end + + context 'when given HTML' do + it 'sanitizes it' do + old_line = %{test.txt} + new_line = %{<img src=x onerror=alert(document.domain)>} + + marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line) + + expect(marked_old_line).to eq(%q{<span class="idiff left right deletion">test.txt</span>}) + expect(marked_old_line).to be_html_safe + expect(marked_new_line).to eq(%q{<span class="idiff left right addition"><img src=x onerror=alert(document.domain)></span>}) + expect(marked_new_line).to be_html_safe + end + + it 'sanitizes the entire line, not just the changes' do + old_line = %{<img src=x onerror=alert(document.domain)>} + new_line = %{<img src=y onerror=alert(document.domain)>} + + marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line) + + expect(marked_old_line).to eq(%q{<img src=<span class="idiff left right deletion">x</span> onerror=alert(document.domain)>}) + expect(marked_old_line).to be_html_safe + expect(marked_new_line).to eq(%q{<img src=<span class="idiff left right addition">y</span> onerror=alert(document.domain)>}) + expect(marked_new_line).to be_html_safe + end + end end describe '#parallel_diff_discussions' do |