Escaping the `object_link_text` on cross project milestone references

author: Alejandro Rodríguez <alejandroluis24@gmail.com> 2016-04-04 23:09:44 -0300
committer: Alejandro Rodríguez <alejandroluis24@gmail.com> 2016-04-20 22:12:43 -0300
commit: 1ff896f2bf5d06d0d772fd0df98bf43edf107373 (patch)
tree: e8bd284dc13fdac270f05123778b8a6fe712b8a0 /spec/lib
parent: 6d9794d42a7bea1150374c76fd3ce5521a44e58e (diff)
download: gitlab-ce-1ff896f2bf5d06d0d772fd0df98bf43edf107373.tar.gz
1 files changed, 6 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
index 26f87286b2c..ac3e6e4e536 100644
--- a/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
+++ b/spec/lib/banzai/filter/milestone_reference_filter_spec.rb
@@ -176,5 +176,11 @@ describe Banzai::Filter::MilestoneReferenceFilter, lib: true do
     it 'contains cross project content' do
       expect(result.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
     end
+
+    it 'escapes the name attribute' do
+      allow_any_instance_of(Milestone).to receive(:title).and_return(%{"></a>whatever<a title="})
+      doc = reference_filter("See #{reference}")
+      expect(doc.css('a').first.text).to eq "#{milestone.name} in #{project_name}"
+    end
   end
 end
author	Alejandro Rodríguez <alejandroluis24@gmail.com>	2016-04-04 23:09:44 -0300
committer	Alejandro Rodríguez <alejandroluis24@gmail.com>	2016-04-20 22:12:43 -0300
commit	1ff896f2bf5d06d0d772fd0df98bf43edf107373 (patch)
tree	e8bd284dc13fdac270f05123778b8a6fe712b8a0 /spec/lib
parent	6d9794d42a7bea1150374c76fd3ce5521a44e58e (diff)
download	gitlab-ce-1ff896f2bf5d06d0d772fd0df98bf43edf107373.tar.gz