Merge branch '30125-markdown-security'

Remove class from SanitizationFilter whitelist

See merge request !2079

1 files changed, 22 insertions, 5 deletions

diff --git a/spec/helpers/events_helper_spec.rb b/spec/helpers/events_helper_spec.rb
index 70443d27f33..a7c3c281083 100644
--- a/spec/helpers/events_helper_spec.rb
+++ b/spec/helpers/events_helper_spec.rb
@@ -2,8 +2,10 @@ require 'spec_helper'
 
 describe EventsHelper do
   describe '#event_note' do
+    let(:user) { build(:user) }
+
     before do
-      allow(helper).to receive(:current_user).and_return(double)
+      allow(helper).to receive(:current_user).and_return(user)
     end
 
     it 'displays one line of plain text without alteration' do
@@ -60,11 +62,26 @@ describe EventsHelper do
       expect(helper.event_note(input)).to eq(expected)
     end
 
-    it 'preserves style attribute within a tag' do
-      input = '<span class="" style="background-color: #44ad8e; color: #FFFFFF;"></span>'
-      expected = '<p><span style="background-color: #44ad8e; color: #FFFFFF;"></span></p>'
+    context 'labels formatting' do
+      let(:input) { 'this should be ~label_1' }
 
-      expect(helper.event_note(input)).to eq(expected)
+      def format_event_note(project)
+        create(:label, title: 'label_1', project: project)
+
+        helper.event_note(input, { project: project })
+      end
+
+      it 'preserves style attribute for a label that can be accessed by current_user' do
+        project = create(:empty_project, :public)
+
+        expect(format_event_note(project)).to match(/span class=.*style=.*/)
+      end
+
+      it 'does not style a label that can not be accessed by current_user' do
+        project = create(:empty_project, :private)
+
+        expect(format_event_note(project)).to eq("<p>#{input}</p>")
+      end
     end
   end