diff options
author | Jan Provaznik <jprovaznik@gitlab.com> | 2018-10-24 09:01:52 +0000 |
---|---|---|
committer | Thiago Presa <tpresa@gitlab.com> | 2018-10-24 22:01:31 -0300 |
commit | 7c2086e2c7c8b91de5fcc67f52aa9b680559ac07 (patch) | |
tree | e89b2ebdf1f9f795dd92ef4dafd964da573a524c /spec | |
parent | 6dcb2c78beced3336142a53d54e644ac543c3ead (diff) | |
download | gitlab-ce-7c2086e2c7c8b91de5fcc67f52aa9b680559ac07.tar.gz |
Merge branch 'security-11-2-2717-fix-issue-title-xss' into 'security-11-2'
[11.2] Escape issue title while template rendering to prevent XSS
See merge request gitlab/gitlabhq!2558
Diffstat (limited to 'spec')
-rw-r--r-- | spec/features/issues/gfm_autocomplete_spec.rb | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/spec/features/issues/gfm_autocomplete_spec.rb b/spec/features/issues/gfm_autocomplete_spec.rb index 98e37d8011a..8a43847d64d 100644 --- a/spec/features/issues/gfm_autocomplete_spec.rb +++ b/spec/features/issues/gfm_autocomplete_spec.rb @@ -34,6 +34,21 @@ describe 'GFM autocomplete', :js do expect(page).to have_selector('.atwho-container') end + it 'opens autocomplete menu when field starts with text with item escaping HTML characters' do + alert_title = 'This will execute alert<img src=x onerror=alert(2)<img src=x onerror=alert(1)>' + create(:issue, project: project, title: alert_title) + + page.within '.timeline-content-form' do + find('#note-body').native.send_keys('#') + end + + expect(page).to have_selector('.atwho-container') + + page.within '.atwho-container #at-view-issues' do + expect(page.all('li').first.text).to include(alert_title) + end + end + it 'doesnt open autocomplete menu character is prefixed with text' do page.within '.timeline-content-form' do find('#note-body').native.send_keys('testing') |