Merge remote-tracking branch 'dev/master'

author: Bob Van Landuyt <bob@vanlanduyt.co> 2018-10-01 18:49:43 +0200
committer: Bob Van Landuyt <bob@vanlanduyt.co> 2018-10-01 18:49:43 +0200
commit: 1cd07610664ab955c8a044b20c71224594a9a9bb (patch)
tree: e96e765ba0a148442efd477221fa9b77628f0f05 /spec/javascripts
parent: c874a481346d0cd83801a510135f29c72fd8d3ae (diff)
parent: 7cb9957a33d37394cd884106865e4aedef519e97 (diff)
download: gitlab-ce-1cd07610664ab955c8a044b20c71224594a9a9bb.tar.gz
1 files changed, 19 insertions, 0 deletions
diff --git a/spec/javascripts/issue_show/index_spec.js b/spec/javascripts/issue_show/index_spec.js
new file mode 100644
index 00000000000..fa0b426c06c
--- /dev/null
+++ b/spec/javascripts/issue_show/index_spec.js
@@ -0,0 +1,19 @@
+import initIssueableApp from '~/issue_show';
+
+describe('Issue show index', () => {
+  describe('initIssueableApp', () => {
+    it('should initialize app with no potential XSS attack', () => {
+      const d = document.createElement('div');
+      d.id = 'js-issuable-app-initial-data';
+      d.innerHTML = JSON.stringify({
+        initialDescriptionHtml: '&lt;img src=x onerror=alert(1)&gt;',
+      });
+      document.body.appendChild(d);
+
+      const alertSpy = spyOn(window, 'alert');
+      initIssueableApp();
+
+      expect(alertSpy).not.toHaveBeenCalled();
+    });
+  });
+});
author	Bob Van Landuyt <bob@vanlanduyt.co>	2018-10-01 18:49:43 +0200
committer	Bob Van Landuyt <bob@vanlanduyt.co>	2018-10-01 18:49:43 +0200
commit	1cd07610664ab955c8a044b20c71224594a9a9bb (patch)
tree	e96e765ba0a148442efd477221fa9b77628f0f05 /spec/javascripts
parent	c874a481346d0cd83801a510135f29c72fd8d3ae (diff)
parent	7cb9957a33d37394cd884106865e4aedef519e97 (diff)
download	gitlab-ce-1cd07610664ab955c8a044b20c71224594a9a9bb.tar.gz