Merge branch 'fix-rdoc-xss' into 'security'

Fix XSS in rdoc and other markups See https://dev.gitlab.org/gitlab/gitlabhq/merge_requests/2058
author: Robert Speicher <robert@gitlab.com> 2017-02-09 17:30:06 +0000
committer: Robert Speicher <rspeicher@gmail.com> 2017-02-15 10:41:57 -0500
commit: 7e1f7a02dbe3ebb6688005a4d966670bea12beb1 (patch)
tree: a26cbc9c30f5e913831571cd6d01f6cae554c1fc /spec
parent: 33c8d413d2b42bd7b823228a2739eddcd4dfbe51 (diff)
download: gitlab-ce-7e1f7a02dbe3ebb6688005a4d966670bea12beb1.tar.gz
1 files changed, 22 insertions, 0 deletions
diff --git a/spec/lib/gitlab/other_markup.rb b/spec/lib/gitlab/other_markup.rb
new file mode 100644
index 00000000000..8f5a353b381
--- /dev/null
+++ b/spec/lib/gitlab/other_markup.rb
@@ -0,0 +1,22 @@
+require 'spec_helper'
+
+describe Gitlab::OtherMarkup, lib: true do
+  context "XSS Checks" do
+    links = {
+      'links' => {
+        file: 'file.rdoc',
+        input: 'XSS[JaVaScriPt:alert(1)]',
+        output: '<p><a>XSS</a></p>'
+      }
+    }
+    links.each do |name, data|
+      it "does not convert dangerous #{name} into HTML" do
+        expect(render(data[:file], data[:input], context)).to eql data[:output]
+      end
+    end
+  end
+
+  def render(*args)
+    described_class.render(*args)
+  end
+end
author	Robert Speicher <robert@gitlab.com>	2017-02-09 17:30:06 +0000
committer	Robert Speicher <rspeicher@gmail.com>	2017-02-15 10:41:57 -0500
commit	7e1f7a02dbe3ebb6688005a4d966670bea12beb1 (patch)
tree	a26cbc9c30f5e913831571cd6d01f6cae554c1fc /spec
parent	33c8d413d2b42bd7b823228a2739eddcd4dfbe51 (diff)
download	gitlab-ce-7e1f7a02dbe3ebb6688005a4d966670bea12beb1.tar.gz