Escaped html characters

author: Chantal Rollison <crollison@gitlab.com> 2018-08-11 13:33:15 -0700
committer: Chantal Rollison <crollison@gitlab.com> 2018-08-21 07:37:33 -0700
commit: 81a403f05f05f4ee8d65db6185cbd0856f7c5189 (patch)
tree: a16142b2fa175d6d16b70e8cd86ba3f681947b18 /spec/features/merge_request/user_sees_diff_spec.rb
parent: 3cd61fea03b360af50793488a83e8147a1cf3311 (diff)
download: gitlab-ce-81a403f05f05f4ee8d65db6185cbd0856f7c5189.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/spec/features/merge_request/user_sees_diff_spec.rb b/spec/features/merge_request/user_sees_diff_spec.rb
index d6e7ff33d5d..0c15febe8df 100644
--- a/spec/features/merge_request/user_sees_diff_spec.rb
+++ b/spec/features/merge_request/user_sees_diff_spec.rb
@@ -2,6 +2,7 @@ require 'rails_helper'
 
 describe 'Merge request > User sees diff', :js do
   include ProjectForksHelper
+  include RepoHelpers
 
   let(:project) { create(:project, :public, :repository) }
   let(:merge_request) { create(:merge_request, source_project: project) }
@@ -81,5 +82,58 @@ describe 'Merge request > User sees diff', :js do
         expect(page).to have_selector('.js-cancel-fork-suggestion-button', count: 1)
       end
     end
+
+    context 'when file contains html' do
+      let(:current_user) { project.owner }
+      let(:branch_name) {"test_branch"}
+
+      def create_file(branch_name, file_name, content)
+        Files::CreateService.new(
+          project,
+          current_user,
+          start_branch: branch_name,
+          branch_name: branch_name,
+          commit_message: "Create file",
+          file_path: file_name,
+          file_content: content
+        ).execute
+
+        project.commit(branch_name)
+      end
+
+      it 'escapes any HTML special characters in the diff chunk header' do
+        file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let d = 3;
+          }
+        CONTENT
+
+        new_file_content =
+          <<~CONTENT
+          function foo<input> {
+            let a = 1;
+            let b = 2;
+            let c = 3;
+            let x = 3;
+          }
+        CONTENT
+
+        file_name = 'xss_file.txt'
+
+        create_file('master', file_name, file_content)
+        merge_request = create(:merge_request, source_project: project)
+        create_file(merge_request.source_branch, file_name, new_file_content)
+
+        project.commit(merge_request.source_branch)
+
+        visit diffs_project_merge_request_path(project, merge_request)
+
+        expect(page).to have_text("function foo<input> {")
+      end
+    end
   end
 end
author	Chantal Rollison <crollison@gitlab.com>	2018-08-11 13:33:15 -0700
committer	Chantal Rollison <crollison@gitlab.com>	2018-08-21 07:37:33 -0700
commit	81a403f05f05f4ee8d65db6185cbd0856f7c5189 (patch)
tree	a16142b2fa175d6d16b70e8cd86ba3f681947b18 /spec/features/merge_request/user_sees_diff_spec.rb
parent	3cd61fea03b360af50793488a83e8147a1cf3311 (diff)
download	gitlab-ce-81a403f05f05f4ee8d65db6185cbd0856f7c5189.tar.gz