Fix xss for Markdown elements where [[_TOC_]] is enabled

author: Mark Chao <mchao@gitlab.com> 2018-06-15 13:40:14 +0800
committer: Mark Chao <mchao@gitlab.com> 2018-06-16 11:23:35 +0800
commit: 00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa (patch)
tree: 2a777aee17f24709f07ea853b46d03918b542cb6 /spec
parent: fb08183e63733dd7845a16d9f827a5cd5f2d9080 (diff)
download: gitlab-ce-00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa.tar.gz
1 files changed, 9 insertions, 0 deletions
diff --git a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
index 0cfef4ff5bf..7213cd58ea7 100644
--- a/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
+++ b/spec/lib/banzai/filter/table_of_contents_filter_spec.rb
@@ -139,5 +139,14 @@ describe Banzai::Filter::TableOfContentsFilter do
         expect(items[5].ancestors).to include(items[4])
       end
     end
+
+    context 'header text contains escaped content' do
+      let(:content) { '&lt;img src="x" onerror="alert(42)"&gt;' }
+      let(:results) { result(header(1, content)) }
+
+      it 'outputs escaped content' do
+        expect(doc.inner_html).to include(content)
+      end
+    end
   end
 end
author	Mark Chao <mchao@gitlab.com>	2018-06-15 13:40:14 +0800
committer	Mark Chao <mchao@gitlab.com>	2018-06-16 11:23:35 +0800
commit	00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa (patch)
tree	2a777aee17f24709f07ea853b46d03918b542cb6 /spec
parent	fb08183e63733dd7845a16d9f827a5cd5f2d9080 (diff)
download	gitlab-ce-00c68e1b03ed92eef6aa6ab3fb84b827b14b9daa.tar.gz