diff options
| author | Alessio Caiazza <acaiazza@gitlab.com> | 2018-06-25 16:13:53 +0000 |
|---|---|---|
| committer | Alessio Caiazza <acaiazza@gitlab.com> | 2018-06-25 16:13:53 +0000 |
| commit | 70c02bf3bce18d39a4fae85bb927334391cd2a5e (patch) | |
| tree | 0b0f3426976856f18fb5a9dc0c371b2447178cc8 /spec/lib/banzai | |
| parent | 4605d27d341d7840cba3453f2b2f23fb992c44b3 (diff) | |
| parent | 039b0c0dbd956e458000fb4f3f7cf0a638098912 (diff) | |
| download | gitlab-ce-70c02bf3bce18d39a4fae85bb927334391cd2a5e.tar.gz | |
Merge branch 'security-fj-bumping-sanitize-gem' into 'master'
[master] Update sanitize gem to 4.6.5 to fix HTML injection vulnerability
See merge request gitlab/gitlabhq!2399
Diffstat (limited to 'spec/lib/banzai')
| -rw-r--r-- | spec/lib/banzai/filter/sanitization_filter_spec.rb | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/spec/lib/banzai/filter/sanitization_filter_spec.rb b/spec/lib/banzai/filter/sanitization_filter_spec.rb index 17a620ef603..d930c608b18 100644 --- a/spec/lib/banzai/filter/sanitization_filter_spec.rb +++ b/spec/lib/banzai/filter/sanitization_filter_spec.rb @@ -93,6 +93,16 @@ describe Banzai::Filter::SanitizationFilter do expect(doc.at_css('td')['style']).to eq 'text-align: center' end + it 'disallows `text-align` property in `style` attribute on other elements' do + html = <<~HTML + <div style="text-align: center">Text</div> + HTML + + doc = filter(html) + + expect(doc.at_css('div')['style']).to be_nil + end + it 'allows `span` elements' do exp = act = %q{<span>Hello</span>} expect(filter(act).to_html).to eq exp @@ -224,7 +234,7 @@ describe Banzai::Filter::SanitizationFilter do 'protocol-based JS injection: spaces and entities' => { input: '<a href="  javascript:alert(\'XSS\');">foo</a>', - output: '<a href="">foo</a>' + output: '<a href>foo</a>' }, 'protocol whitespace' => { |