diff options
| author | Filipa Lacerda <filipa@gitlab.com> | 2018-08-09 12:05:13 +0100 |
|---|---|---|
| committer | Filipa Lacerda <filipa@gitlab.com> | 2018-08-09 18:28:05 +0100 |
| commit | 5e8f11e5fdb792f17d86cf9321537c5c56801a17 (patch) | |
| tree | 77a87f8692bd1a24cb4c76d11c7c7740ee1e466f /spec/javascripts/pipelines | |
| parent | 68082d352516b5367fce76453b8992f4e44d127e (diff) | |
| download | gitlab-ce-5e8f11e5fdb792f17d86cf9321537c5c56801a17.tar.gz | |
Removes <br> sent from backend on tooltips in jobs
When backend sends HTML it requires frontend to append it to the DOM causing
XSS vulnerabilities. By removing the `<br>` we avoid those vulnerabilities
Diffstat (limited to 'spec/javascripts/pipelines')
| -rw-r--r-- | spec/javascripts/pipelines/graph/dropdown_job_component_spec.js | 8 | ||||
| -rw-r--r-- | spec/javascripts/pipelines/graph/job_component_spec.js | 20 |
2 files changed, 0 insertions, 28 deletions
diff --git a/spec/javascripts/pipelines/graph/dropdown_job_component_spec.js b/spec/javascripts/pipelines/graph/dropdown_job_component_spec.js index ff584396d61..2b47ca236b2 100644 --- a/spec/javascripts/pipelines/graph/dropdown_job_component_spec.js +++ b/spec/javascripts/pipelines/graph/dropdown_job_component_spec.js @@ -82,12 +82,4 @@ describe('dropdown job component', () => { it('renders dropdown with jobs', () => { expect(vm.$el.querySelectorAll('.scrollable-menu>ul>li').length).toEqual(mock.jobs.length); }); - - it('escapes tooltip title', () => { - expect( - vm.$el.querySelector('.js-pipeline-graph-job-link').getAttribute('data-original-title'), - ).toEqual( - '<img src=x onerror=alert(document.domain)> - passed', - ); - }); }); diff --git a/spec/javascripts/pipelines/graph/job_component_spec.js b/spec/javascripts/pipelines/graph/job_component_spec.js index 215ce1e81b5..0ae448f2ea8 100644 --- a/spec/javascripts/pipelines/graph/job_component_spec.js +++ b/spec/javascripts/pipelines/graph/job_component_spec.js @@ -161,24 +161,4 @@ describe('pipeline graph job component', () => { expect(component.$el.querySelector(tooltipBoundary)).toBeNull(); }); }); - - describe('tooltipText', () => { - it('escapes job name', () => { - component = mountComponent(JobComponent, { - job: { - id: 4259, - name: '<img src=x onerror=alert(document.domain)>', - status: { - icon: 'status_success', - label: 'success', - tooltip: 'failed', - }, - }, - }); - - expect( - component.$el.querySelector('.js-job-component-tooltip').getAttribute('data-original-title'), - ).toEqual('<img src=x onerror=alert(document.domain)> - failed'); - }); - }); }); |