summaryrefslogtreecommitdiff
path: root/spec/controllers/projects
diff options
context:
space:
mode:
authorFelipe Artur <felipefac@gmail.com>2018-07-26 18:30:50 -0300
committerFelipe Artur <felipefac@gmail.com>2018-07-26 18:30:50 -0300
commit13ea4b387ddcee5f5e8a59ac90dc9e485f4242f5 (patch)
treeea588d7aecbaa8868f23addf50748a14d167e342 /spec/controllers/projects
parentcaeb4597a5b24e0eaa96b24901ce9208c2eef4bf (diff)
parent45c94aba1b90dbe86c5583c8782cc3f624249fa1 (diff)
downloadgitlab-ce-13ea4b387ddcee5f5e8a59ac90dc9e485f4242f5.tar.gz
Merge remote-tracking branch 'dev/master'
Diffstat (limited to 'spec/controllers/projects')
-rw-r--r--spec/controllers/projects/labels_controller_spec.rb8
-rw-r--r--spec/controllers/projects/milestones_controller_spec.rb8
2 files changed, 16 insertions, 0 deletions
diff --git a/spec/controllers/projects/labels_controller_spec.rb b/spec/controllers/projects/labels_controller_spec.rb
index 273702e6d21..e03d23bcdf6 100644
--- a/spec/controllers/projects/labels_controller_spec.rb
+++ b/spec/controllers/projects/labels_controller_spec.rb
@@ -143,6 +143,14 @@ describe Projects::LabelsController do
expect(GroupLabel.find_by(title: promoted_label_name)).not_to be_nil
end
+ it 'renders label name without parsing it as HTML' do
+ label_1.update!(name: 'CCC&lt;img src=x onerror=alert(document.domain)&gt;')
+
+ post :promote, namespace_id: project.namespace.to_param, project_id: project, id: label_1.to_param
+
+ expect(flash[:notice]).to eq("CCC&lt;img src=x onerror=alert(document.domain)&gt; promoted to <a href=\"#{group_labels_path(project.group)}\"><u>group label</u></a>.")
+ end
+
context 'service raising InvalidRecord' do
before do
expect_any_instance_of(Labels::PromoteService).to receive(:execute) do |label|
diff --git a/spec/controllers/projects/milestones_controller_spec.rb b/spec/controllers/projects/milestones_controller_spec.rb
index ea906cf7f32..6c2d1c7e92b 100644
--- a/spec/controllers/projects/milestones_controller_spec.rb
+++ b/spec/controllers/projects/milestones_controller_spec.rb
@@ -127,6 +127,14 @@ describe Projects::MilestonesController do
expect(flash[:notice]).to eq("#{milestone.title} promoted to <a href=\"#{group_milestone_path(project.group, milestone.iid)}\"><u>group milestone</u></a>.")
expect(response).to redirect_to(project_milestones_path(project))
end
+
+ it 'renders milestone name without parsing it as HTML' do
+ milestone.update!(name: 'CCC&lt;img src=x onerror=alert(document.domain)&gt;')
+
+ post :promote, namespace_id: project.namespace.id, project_id: project.id, id: milestone.iid
+
+ expect(flash[:notice]).to eq("CCC promoted to <a href=\"#{group_milestone_path(project.group, milestone.iid)}\"><u>group milestone</u></a>.")
+ end
end
context 'promotion fails' do
View Lorry Controller Status