HTML escape the name of the user in ProjectsHelper#link_to_member

author: Imre Farkas <ifarkas@gitlab.com> 2018-06-15 10:44:59 +0200
committer: Imre Farkas <ifarkas@gitlab.com> 2018-06-15 14:26:48 +0200
commit: 1fbf6f186948e29dfcd09332a083962904e674ae (patch)
tree: d4795b2e3ae2cf3d2e14674a676b011f01613de0 /spec/helpers
parent: a8445cc29d81f8d8169e93cd4ef6692aa0fef1fb (diff)
download: gitlab-ce-1fbf6f186948e29dfcd09332a083962904e674ae.tar.gz
1 files changed, 8 insertions, 1 deletions
diff --git a/spec/helpers/projects_helper_spec.rb b/spec/helpers/projects_helper_spec.rb
index 5cf9e9e8f12..80147b13739 100644
--- a/spec/helpers/projects_helper_spec.rb
+++ b/spec/helpers/projects_helper_spec.rb
@@ -248,7 +248,7 @@ describe ProjectsHelper do
   describe '#link_to_member' do
     let(:group)   { build_stubbed(:group) }
     let(:project) { build_stubbed(:project, group: group) }
-    let(:user)    { build_stubbed(:user) }
+    let(:user)    { build_stubbed(:user, name: '<h1>Administrator</h1>') }
 
     describe 'using the default options' do
       it 'returns an HTML link to the user' do
@@ -256,6 +256,13 @@ describe ProjectsHelper do
 
         expect(link).to match(%r{/#{user.username}})
       end
+
+      it 'HTML escapes the name of the user' do
+        link = helper.link_to_member(project, user)
+
+        expect(link).to include(ERB::Util.html_escape(user.name))
+        expect(link).not_to include(user.name)
+      end
     end
   end
author	Imre Farkas <ifarkas@gitlab.com>	2018-06-15 10:44:59 +0200
committer	Imre Farkas <ifarkas@gitlab.com>	2018-06-15 14:26:48 +0200
commit	1fbf6f186948e29dfcd09332a083962904e674ae (patch)
tree	d4795b2e3ae2cf3d2e14674a676b011f01613de0 /spec/helpers
parent	a8445cc29d81f8d8169e93cd4ef6692aa0fef1fb (diff)
download	gitlab-ce-1fbf6f186948e29dfcd09332a083962904e674ae.tar.gz