Merge remote-tracking branch 'upstream/master' into show-commit-status-from-source-project

* upstream/master: (327 commits)
  Formatted all app/assets/javascripts to underscore naming convention
  Add registry to skipped data in backup raketask docs
  Updating changes based on feedback from @connorshea
  Changes to make Git basics more intuitive - updated verbiage where appropriate - changed "git config" commands to include quotes for variables to be more in line with standard practive and to avoid issues with spaces - updated CHANGELOG as part of commit
  Remove Ci::ApplicationController
  HTMLEntityFilter -> HtmlEntityFilter
  Clarify which token should be used to delete a runner
  Changed 'Compare branches, tags or commit ranges' to 'Compare Git revisions'
  Changed placeholder to 'Commit hash'
  Add link to test coverage report to README
  Added copy file path button to diffs
  Fix wrong icon in CI build detail sidebar: right-arrow => arrow-right
  Prevent conflict b/w search field and its dropdown
  Make searching for commits case insensitive.
  Use user from let instead recreate in before
  reword html titles for merge requests and issues
  Fix a typo in doc/api/labels.md
  Check for transition loopback in commit status
  Add temporary fix for race condition in MWBS
  Improve transitions and run hooks after transaction
  ...

2 files changed, 50 insertions, 1 deletions

diff --git a/spec/views/ci/lints/show.html.haml_spec.rb b/spec/views/ci/lints/show.html.haml_spec.rb
index 793b747e7eb..2dac5ee23c8 100644
--- a/spec/views/ci/lints/show.html.haml_spec.rb
+++ b/spec/views/ci/lints/show.html.haml_spec.rb
@@ -1,6 +1,52 @@
 require 'spec_helper'
 
 describe 'ci/lints/show' do
+  include Devise::TestHelpers
+
+  describe 'XSS protection' do
+    let(:config_processor) { Ci::GitlabCiYamlProcessor.new(YAML.dump(content)) }
+    before do
+      assign(:status, true)
+      assign(:builds, config_processor.builds)
+      assign(:stages, config_processor.stages)
+      assign(:jobs, config_processor.jobs)
+    end
+
+    context 'when builds attrbiutes contain HTML nodes' do
+      let(:content) do
+        {
+          rspec: {
+            script: '<h1>rspec</h1>',
+            stage: 'test'
+          }
+        }
+      end
+
+      it 'does not render HTML elements' do
+        render
+
+        expect(rendered).not_to have_css('h1', text: 'rspec')
+      end
+    end
+
+    context 'when builds attributes do not contain HTML nodes' do
+      let(:content) do
+        {
+          rspec: {
+            script: 'rspec',
+            stage: 'test'
+          }
+        }
+      end
+
+      it 'shows configuration in the table' do
+        render
+
+        expect(rendered).to have_css('td pre', text: 'rspec')
+      end
+    end
+  end
+
   let(:content) do
     {
       build_template: {
diff --git a/spec/views/projects/merge_requests/edit.html.haml_spec.rb b/spec/views/projects/merge_requests/edit.html.haml_spec.rb
index 26ea252fecb..3650b22c389 100644
--- a/spec/views/projects/merge_requests/edit.html.haml_spec.rb
+++ b/spec/views/projects/merge_requests/edit.html.haml_spec.rb
@@ -7,12 +7,15 @@ describe 'projects/merge_requests/edit.html.haml' do
   let(:project) { create(:project) }
   let(:fork_project) { create(:project, forked_from_project: project) }
   let(:unlink_project) { Projects::UnlinkForkService.new(fork_project, user) }
+  let(:milestone) { create(:milestone, project: project) }
 
   let(:closed_merge_request) do
     create(:closed_merge_request,
       source_project: fork_project,
       target_project: project,
-      author: user)
+      author: user,
+      assignee: user,
+      milestone: milestone)
   end
 
   before do