Merge branch 'bvl-security-patches' into 'master'

Security patches -> `master` See merge request !11230
author: Robert Speicher <robert@gitlab.com> 2017-05-10 18:26:02 +0000
committer: Robert Speicher <robert@gitlab.com> 2017-05-10 18:26:02 +0000
commit: 180ec7113e358a7f8388e1436dc0670a11ba68df (patch)
tree: fba74833a7e89d6c19160a0d7e02355c5215c8df /spec/views
parent: 09c4d27ae48ceb181f86657043af2a129c17dabf (diff)
parent: ebd8b7f60f41358df562625a4692f352b86b8c80 (diff)
download: gitlab-ce-180ec7113e358a7f8388e1436dc0670a11ba68df.tar.gz
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/views/projects/imports/new.html.haml_spec.rb b/spec/views/projects/imports/new.html.haml_spec.rb
new file mode 100644
index 00000000000..9b293065797
--- /dev/null
+++ b/spec/views/projects/imports/new.html.haml_spec.rb
@@ -0,0 +1,22 @@
+require "spec_helper"
+
+describe "projects/imports/new.html.haml" do
+  let(:user) { create(:user) }
+
+  context 'when import fails' do
+    let(:project) { create(:project_empty_repo, import_status: :failed, import_error: '<a href="http://googl.com">Foo</a>', import_type: :gitlab_project, import_source: '/var/opt/gitlab/gitlab-rails/shared/tmp/project_exports/uploads/t.tar.gz', import_url: nil) }
+
+    before do
+      sign_in(user)
+      project.team << [user, :master]
+    end
+
+    it "escapes HTML in import errors" do
+      assign(:project, project)
+
+      render
+
+      expect(rendered).not_to have_link('Foo', href: "http://googl.com")
+    end
+  end
+end
author	Robert Speicher <robert@gitlab.com>	2017-05-10 18:26:02 +0000
committer	Robert Speicher <robert@gitlab.com>	2017-05-10 18:26:02 +0000
commit	180ec7113e358a7f8388e1436dc0670a11ba68df (patch)
tree	fba74833a7e89d6c19160a0d7e02355c5215c8df /spec/views
parent	09c4d27ae48ceb181f86657043af2a129c17dabf (diff)
parent	ebd8b7f60f41358df562625a4692f352b86b8c80 (diff)
download	gitlab-ce-180ec7113e358a7f8388e1436dc0670a11ba68df.tar.gz