diff options
author | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
---|---|---|
committer | GitLab Bot <gitlab-bot@gitlab.com> | 2020-06-29 19:21:38 +0000 |
commit | 11e9b7b58837da351f08c18e6f0f4faba4d7d301 (patch) | |
tree | d9b28159a53c3814c8a2e6b33a5f01557b757439 /spec/features | |
parent | 2b0b97e746e327c6168505df7740e667b690a27f (diff) | |
download | gitlab-ce-11e9b7b58837da351f08c18e6f0f4faba4d7d301.tar.gz |
Add latest changes from gitlab-org/security/gitlab@13-1-stable-ee
Diffstat (limited to 'spec/features')
-rw-r--r-- | spec/features/snippets/notes_on_personal_snippets_spec.rb | 28 |
1 files changed, 25 insertions, 3 deletions
diff --git a/spec/features/snippets/notes_on_personal_snippets_spec.rb b/spec/features/snippets/notes_on_personal_snippets_spec.rb index aaaa61fec62..55031183e10 100644 --- a/spec/features/snippets/notes_on_personal_snippets_spec.rb +++ b/spec/features/snippets/notes_on_personal_snippets_spec.rb @@ -5,15 +5,17 @@ require 'spec_helper' RSpec.describe 'Comments on personal snippets', :js do include NoteInteractionHelpers - let!(:user) { create(:user) } - let!(:snippet) { create(:personal_snippet, :public) } + let_it_be(:snippet) { create(:personal_snippet, :public) } + let_it_be(:other_note) { create(:note_on_personal_snippet) } + + let(:user_name) { 'Test User' } + let!(:user) { create(:user, name: user_name) } let!(:snippet_notes) do [ create(:note_on_personal_snippet, noteable: snippet, author: user), create(:note_on_personal_snippet, noteable: snippet) ] end - let!(:other_note) { create(:note_on_personal_snippet) } before do stub_feature_flags(snippets_vue: false) @@ -56,6 +58,26 @@ RSpec.describe 'Comments on personal snippets', :js do expect(page).to show_user_status(status) end end + + it 'shows the author name' do + visit snippet_path(snippet) + + within("#note_#{snippet_notes[0].id}") do + expect(page).to have_content(user_name) + end + end + + context 'when the author name contains HTML' do + let(:user_name) { '<h1><a href="https://bad.link/malicious.exe" class="evil">Fake Content<img class="fake-icon" src="image.png"></a></h1>' } + + it 'renders the name as plain text' do + visit snippet_path(snippet) + + content = find("#note_#{snippet_notes[0].id} .note-header-author-name").text + + expect(content).to eq user_name + end + end end context 'when submitting a note' do |