Merge branch 'master' into sh-test-ldap-clones-via-gitlab-qa

author: Stan Hu <stanhu@gmail.com> 2018-08-29 22:54:12 -0700
committer: Stan Hu <stanhu@gmail.com> 2018-08-29 22:54:12 -0700
commit: 69eddc14b11b63429b8f2511a1127616c692b94c (patch)
tree: a94482be144cef60a8ee1b590857ca24f49f418a /spec/features/merge_request/user_sees_diff_spec.rb
parent: bc7a4eedf9fa6681465b622af52c34d49ffb5d0e (diff)
parent: f981d4febbbb5103262f4daa858236d9c4ed9d67 (diff)
download: gitlab-ce-69eddc14b11b63429b8f2511a1127616c692b94c.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_sees_diff_spec.rb b/spec/features/merge_request/user_sees_diff_spec.rb
index d6e7ff33d5d..0c15febe8df 100644
--- a/spec/features/merge_request/user_sees_diff_spec.rb
+++ b/spec/features/merge_request/user_sees_diff_spec.rb
@@ -2,6 +2,7 @@ require 'rails_helper'
 
 describe 'Merge request > User sees diff', :js do
   include ProjectForksHelper
+  include RepoHelpers
 
   let(:project) { create(:project, :public, :repository) }
   let(:merge_request) { create(:merge_request, source_project: project) }
@@ -81,5 +82,58 @@ describe 'Merge request > User sees diff', :js do
         expect(page).to have_selector('.js-cancel-fork-suggestion-button', count: 1)
       end
     end
+
+    context 'when file contains html' do
+      let(:current_user) { project.owner }
+      let(:branch_name) {"test_branch"}
+
+      def create_file(branch_name, file_name, content)
+        Files::CreateService.new(
+          project,
+          current_user,
+          start_branch: branch_name,
+          branch_name: branch_name,
+          commit_message: "Create file",
+          file_path: file_name,
+          file_content: content
+        ).execute
+
+        project.commit(branch_name)
+      end
+
+      it 'escapes any HTML special characters in the diff chunk header' do
+        file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let d = 3;
+          }
+        CONTENT
+
+        new_file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let x = 3;
+          }
+        CONTENT
+
+        file_name = 'xss_file.txt'
+
+        create_file('master', file_name, file_content)
+        merge_request = create(:merge_request, source_project: project)
+        create_file(merge_request.source_branch, file_name, new_file_content)
+
+        project.commit(merge_request.source_branch)
+
+        visit diffs_project_merge_request_path(project, merge_request)
+
+        expect(page).to have_text("function foo<input> {")
+      end
+    end
   end
 end
author	Stan Hu <stanhu@gmail.com>	2018-08-29 22:54:12 -0700
committer	Stan Hu <stanhu@gmail.com>	2018-08-29 22:54:12 -0700
commit	69eddc14b11b63429b8f2511a1127616c692b94c (patch)
tree	a94482be144cef60a8ee1b590857ca24f49f418a /spec/features/merge_request/user_sees_diff_spec.rb
parent	bc7a4eedf9fa6681465b622af52c34d49ffb5d0e (diff)
parent	f981d4febbbb5103262f4daa858236d9c4ed9d67 (diff)
download	gitlab-ce-69eddc14b11b63429b8f2511a1127616c692b94c.tar.gz