diff options
author | Filipa Lacerda <filipa@gitlab.com> | 2018-06-28 15:25:49 +0100 |
---|---|---|
committer | Mayra Cabrera <mcabrera@gitlab.com> | 2018-07-06 08:55:24 -0500 |
commit | 0e7aa236c8c8143770b6602fa99cb4197c65fe70 (patch) | |
tree | d87011605bb07678f94b8abd9f27aecc2cb8f2c8 /spec/features/projects/jobs_spec.rb | |
parent | 26998c68c936f183ead1a84e404a61160fc646f7 (diff) | |
download | gitlab-ce-0e7aa236c8c8143770b6602fa99cb4197c65fe70.tar.gz |
Escapes job name used in tooltips in vue components
Use sanitize to strip src attributes
Changes sidebar back to use sanitize
Diffstat (limited to 'spec/features/projects/jobs_spec.rb')
-rw-r--r-- | spec/features/projects/jobs_spec.rb | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/features/projects/jobs_spec.rb b/spec/features/projects/jobs_spec.rb index d06abdd999b..c7e0afeef4a 100644 --- a/spec/features/projects/jobs_spec.rb +++ b/spec/features/projects/jobs_spec.rb @@ -135,6 +135,20 @@ feature 'Jobs', :clean_gitlab_redis_shared_state do end end + context 'sidebar' do + let(:job) { create(:ci_build, :success, :trace_live, pipeline: pipeline, name: '<img src=x onerror=alert(document.domain)>') } + + before do + visit project_job_path(project, job) + end + + it 'renders escaped tooltip name' do + page.within('aside.right-sidebar') do + expect(find('.active.build-job a')['data-title']).to eq('<img src="x"> - passed') + end + end + end + context 'when job is not running', :js do let(:job) { create(:ci_build, :success, :trace_artifact, pipeline: pipeline) } |