diff options
author | Imre Farkas <ifarkas@gitlab.com> | 2018-06-15 10:44:59 +0200 |
---|---|---|
committer | Imre Farkas <ifarkas@gitlab.com> | 2018-06-15 14:26:48 +0200 |
commit | 1fbf6f186948e29dfcd09332a083962904e674ae (patch) | |
tree | d4795b2e3ae2cf3d2e14674a676b011f01613de0 /spec/helpers | |
parent | a8445cc29d81f8d8169e93cd4ef6692aa0fef1fb (diff) | |
download | gitlab-ce-1fbf6f186948e29dfcd09332a083962904e674ae.tar.gz |
HTML escape the name of the user in ProjectsHelper#link_to_member
Diffstat (limited to 'spec/helpers')
-rw-r--r-- | spec/helpers/projects_helper_spec.rb | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb index 5cf9e9e8f12..80147b13739 100644 --- a/spec/helpers/projects_helper_spec.rb +++ b/spec/helpers/projects_helper_spec.rb @@ -248,7 +248,7 @@ describe ProjectsHelper do describe '#link_to_member' do let(:group) { build_stubbed(:group) } let(:project) { build_stubbed(:project, group: group) } - let(:user) { build_stubbed(:user) } + let(:user) { build_stubbed(:user, name: '<h1>Administrator</h1>') } describe 'using the default options' do it 'returns an HTML link to the user' do @@ -256,6 +256,13 @@ describe ProjectsHelper do expect(link).to match(%r{/#{user.username}}) end + + it 'HTML escapes the name of the user' do + link = helper.link_to_member(project, user) + + expect(link).to include(ERB::Util.html_escape(user.name)) + expect(link).not_to include(user.name) + end end end |