diff options
author | Mark Chao <mchao@gitlab.com> | 2018-06-15 13:40:14 +0800 |
---|---|---|
committer | Mark Chao <mchao@gitlab.com> | 2018-06-16 11:23:35 +0800 |
commit | 00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa (patch) | |
tree | 2a777aee17f24709f07ea853b46d03918b542cb6 /spec | |
parent | fb08183e63733dd7845a16d9f827a5cd5f2d9080 (diff) | |
download | gitlab-ce-00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa.tar.gz |
Fix xss for Markdown elements where [[_TOC_]] is enabled
Diffstat (limited to 'spec')
-rw-r--r-- | spec/lib/banzai/filter/table_of_contents_filter_spec.rb | 9 |
1 files changed, 9 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb index 0cfef4ff5bf..7213cd58ea7 100644 --- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb +++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb @@ -139,5 +139,14 @@ describe Banzai::Filter::TableOfContentsFilter do expect(items[5].ancestors).to include(items[4]) end end + + context 'header text contains escaped content' do + let(:content) { '<img src="x" onerror="alert(42)">' } + let(:results) { result(header(1, content)) } + + it 'outputs escaped content' do + expect(doc.inner_html).to include(content) + end + end end end |