diff options
| author | Jacob Schatz <jschatz@gitlab.com> | 2017-09-06 15:59:49 +0000 |
|---|---|---|
| committer | Robert Speicher <rspeicher@gmail.com> | 2017-09-07 20:22:16 -0400 |
| commit | 941a2d27373a99cb96561e7f41ac6ae8351dbb96 (patch) | |
| tree | 2c7dda705f0007f34f595d56ff46928638a8d833 /spec/javascripts/notes_spec.js | |
| parent | bc10afb600a8079fe250e7c82bf16763a8fed28f (diff) | |
| download | gitlab-ce-941a2d27373a99cb96561e7f41ac6ae8351dbb96.tar.gz | |
Merge branch 'fix-comment-reflection' into 'security-9-5'
Fix Live Comment XSS Vulnerability
See merge request gitlab/gitlabhq!2183
Diffstat (limited to 'spec/javascripts/notes_spec.js')
| -rw-r--r-- | spec/javascripts/notes_spec.js | 14 |
1 files changed, 14 insertions, 0 deletions
diff --git a/spec/javascripts/notes_spec.js b/spec/javascripts/notes_spec.js index 8c5ad8914b0..3e791a31604 100644 --- a/spec/javascripts/notes_spec.js +++ b/spec/javascripts/notes_spec.js @@ -770,6 +770,20 @@ import '~/notes'; expect($tempNote.prop('nodeName')).toEqual('LI'); expect($tempNote.find('.timeline-content').hasClass('discussion')).toBeTruthy(); }); + + it('should return a escaped user name', () => { + const currentUserFullnameXSS = 'Foo <script>alert("XSS")</script>'; + const $tempNote = this.notes.createPlaceholderNote({ + formContent: sampleComment, + uniqueId, + isDiscussionNote: false, + currentUsername, + currentUserFullname: currentUserFullnameXSS, + currentUserAvatar, + }); + const $tempNoteHeader = $tempNote.find('.note-header'); + expect($tempNoteHeader.find('.hidden-xs').text().trim()).toEqual('Foo <script>alert("XSS")</script>'); + }); }); describe('createPlaceholderSystemNote', () => { |