From 941a2d27373a99cb96561e7f41ac6ae8351dbb96 Mon Sep 17 00:00:00 2001 From: Jacob Schatz Date: Wed, 6 Sep 2017 15:59:49 +0000 Subject: Merge branch 'fix-comment-reflection' into 'security-9-5' Fix Live Comment XSS Vulnerability See merge request gitlab/gitlabhq!2183 --- spec/javascripts/notes_spec.js | 14 ++++++++++++++ 1 file changed, 14 insertions(+) (limited to 'spec/javascripts/notes_spec.js') diff --git a/spec/javascripts/notes_spec.js b/spec/javascripts/notes_spec.js index 8c5ad8914b0..3e791a31604 100644 --- a/spec/javascripts/notes_spec.js +++ b/spec/javascripts/notes_spec.js @@ -770,6 +770,20 @@ import '~/notes'; expect($tempNote.prop('nodeName')).toEqual('LI'); expect($tempNote.find('.timeline-content').hasClass('discussion')).toBeTruthy(); }); + + it('should return a escaped user name', () => { + const currentUserFullnameXSS = 'Foo '; + const $tempNote = this.notes.createPlaceholderNote({ + formContent: sampleComment, + uniqueId, + isDiscussionNote: false, + currentUsername, + currentUserFullname: currentUserFullnameXSS, + currentUserAvatar, + }); + const $tempNoteHeader = $tempNote.find('.note-header'); + expect($tempNoteHeader.find('.hidden-xs').text().trim()).toEqual('Foo <script>alert("XSS")</script>'); + }); }); describe('createPlaceholderSystemNote', () => { -- cgit v1.2.1