diff options
author | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 17:02:49 +0000 |
---|---|---|
committer | GitLab Release Tools Bot <robert+release-tools@gitlab.com> | 2019-11-26 17:02:49 +0000 |
commit | 6b50c98f7a3c38627603da3650240a401789bb79 (patch) | |
tree | 85019936afe1b6b21409cbc0b6e566160f5dca77 /spec/lib/banzai | |
parent | 5df019e892f4e717772133e469303ab220938233 (diff) | |
parent | 54564e79d311f06cbf279d137d6d517efc5c9fb2 (diff) | |
download | gitlab-ce-6b50c98f7a3c38627603da3650240a401789bb79.tar.gz |
Merge branch 'security-fix-xss-in-label-namespace' into 'master'
Escape namespace in label references
Closes #2941
See merge request gitlab/gitlabhq!3509
Diffstat (limited to 'spec/lib/banzai')
-rw-r--r-- | spec/lib/banzai/filter/label_reference_filter_spec.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/label_reference_filter_spec.rb b/spec/lib/banzai/filter/label_reference_filter_spec.rb index 35e99d2586e..66af26bc51c 100644 --- a/spec/lib/banzai/filter/label_reference_filter_spec.rb +++ b/spec/lib/banzai/filter/label_reference_filter_spec.rb @@ -521,6 +521,15 @@ describe Banzai::Filter::LabelReferenceFilter do expect(reference_filter(act).to_html).to eq exp end + + context 'when group name has HTML entities' do + let(:another_group) { create(:group, name: '<img src=x onerror=alert(1)>', path: 'another_group') } + + it 'escapes the HTML entities' do + expect(result.text) + .to eq "See #{group_label.name} in #{another_project.full_name}" + end + end end describe 'cross-project / same-group_label complete reference' do |