diff options
| author | Robert Speicher <robert@gitlab.com> | 2017-05-02 14:52:19 +0000 |
|---|---|---|
| committer | Bob Van Landuyt <bob@gitlab.com> | 2017-05-10 16:44:20 +0200 |
| commit | 99996b6bc7c13e7e7f871919942907b380d4b58c (patch) | |
| tree | c87b232ade284781ae96d2819636c639d584972b /spec | |
| parent | 9b03ed0a182c9ad96957085826cc85f8f229569c (diff) | |
| download | gitlab-ce-99996b6bc7c13e7e7f871919942907b380d4b58c.tar.gz | |
Merge branch 'bvl-security-9-1-markup-pipeline'
(security-9-1) Render asciidoc & other markup using banzai in a pipeline
See merge request !2098
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/lib/gitlab/asciidoc_spec.rb | 14 | ||||
| -rw-r--r-- | spec/lib/gitlab/other_markup_spec.rb | 2 |
2 files changed, 12 insertions, 4 deletions
diff --git a/spec/lib/gitlab/asciidoc_spec.rb b/spec/lib/gitlab/asciidoc_spec.rb index 0f47fb2fbd9..f284dd14cec 100644 --- a/spec/lib/gitlab/asciidoc_spec.rb +++ b/spec/lib/gitlab/asciidoc_spec.rb @@ -22,7 +22,7 @@ module Gitlab expect(Asciidoctor).to receive(:convert) .with(input, expected_asciidoc_opts).and_return(html) - expect(render(input)).to eq(html) + expect(render(input, context)).to eq(html) end context "XSS" do @@ -33,7 +33,7 @@ module Gitlab }, 'images' => { input: 'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]', - output: "<div>\n<p><span><img src=\"https://localhost.com/image.png\" alt=\"Alt text\"></span></p>\n</div>" + output: "<img src=\"https://localhost.com/image.png\" alt=\"Alt text\">" }, 'pre' => { input: '```mypre"><script>alert(3)</script>', @@ -43,10 +43,18 @@ module Gitlab links.each do |name, data| it "does not convert dangerous #{name} into HTML" do - expect(render(data[:input])).to eq(data[:output]) + expect(render(data[:input], context)).to include(data[:output]) end end end + + context 'external links' do + it 'adds the `rel` attribute to the link' do + output = render('link:https://google.com[Google]', context) + + expect(output).to include('rel="nofollow noreferrer"') + end + end end def render(*args) diff --git a/spec/lib/gitlab/other_markup_spec.rb b/spec/lib/gitlab/other_markup_spec.rb index d6d53e8586c..c0f5fa9dc1f 100644 --- a/spec/lib/gitlab/other_markup_spec.rb +++ b/spec/lib/gitlab/other_markup_spec.rb @@ -13,7 +13,7 @@ describe Gitlab::OtherMarkup, lib: true do } links.each do |name, data| it "does not convert dangerous #{name} into HTML" do - expect(render(data[:file], data[:input])).to eq(data[:output]) + expect(render(data[:file], data[:input], context)).to eq(data[:output]) end end end |