diff options
| -rw-r--r-- | app/helpers/external_link_helper.rb | 5 | ||||
| -rw-r--r-- | app/helpers/icons_helper.rb | 2 | ||||
| -rw-r--r-- | doc/api/dependencies.md | 10 | ||||
| -rw-r--r-- | spec/helpers/external_link_helper_spec.rb | 8 | ||||
| -rw-r--r-- | spec/helpers/icons_helper_spec.rb | 8 |
5 files changed, 26 insertions, 7 deletions
diff --git a/app/helpers/external_link_helper.rb b/app/helpers/external_link_helper.rb index 058302d1ed8..c951d0daf96 100644 --- a/app/helpers/external_link_helper.rb +++ b/app/helpers/external_link_helper.rb @@ -1,9 +1,12 @@ # frozen_string_literal: true module ExternalLinkHelper + include ActionView::Helpers::TextHelper + def external_link(body, url, options = {}) - link_to url, { target: '_blank', rel: 'noopener noreferrer' }.merge(options) do + link = link_to url, { target: '_blank', rel: 'noopener noreferrer' }.merge(options) do "#{body}#{sprite_icon('external-link', css_class: 'gl-ml-1')}".html_safe end + sanitize(link, tags: %w(a svg use), attributes: %w(target rel data-testid class href).concat(options.stringify_keys.keys)) end end diff --git a/app/helpers/icons_helper.rb b/app/helpers/icons_helper.rb index 096a3f2269b..c38b4a7aedf 100644 --- a/app/helpers/icons_helper.rb +++ b/app/helpers/icons_helper.rb @@ -44,7 +44,7 @@ module IconsHelper content_tag( :svg, - content_tag(:use, '', { 'xlink:href' => "#{sprite_icon_path}##{icon_name}" } ), + content_tag(:use, '', { 'href' => "#{sprite_icon_path}##{icon_name}" } ), class: css_classes.empty? ? nil : css_classes.join(' '), data: { testid: "#{icon_name}-icon" } ) diff --git a/doc/api/dependencies.md b/doc/api/dependencies.md index c8b928ab5b2..6e9c37980ac 100644 --- a/doc/api/dependencies.md +++ b/doc/api/dependencies.md @@ -11,6 +11,9 @@ This API is in an alpha stage and considered unstable. The response payload may be subject to change or breakage across GitLab releases. +> - Introduced in GitLab 12.1. +> - Pagination introduced in 14.4. + Every call to this endpoint requires authentication. To perform this call, user should be authorized to read repository. To see vulnerabilities in response, user should be authorized to read [Project Security Dashboard](../user/application_security/security_dashboard/index.md#project-security-dashboard). @@ -60,3 +63,10 @@ Example response: } ] ``` + +## Dependencies pagination + +By default, `GET` requests return 20 results at a time because the API results +are paginated. + +Read more on [pagination](index.md#pagination). diff --git a/spec/helpers/external_link_helper_spec.rb b/spec/helpers/external_link_helper_spec.rb index f5bb0568824..b746cb04ab3 100644 --- a/spec/helpers/external_link_helper_spec.rb +++ b/spec/helpers/external_link_helper_spec.rb @@ -13,8 +13,14 @@ RSpec.describe ExternalLinkHelper do it 'allows options when creating external link with icon' do link = external_link('https://gitlab.com', 'https://gitlab.com', { "data-foo": "bar", class: "externalLink" }).to_s - expect(link).to start_with('<a target="_blank" rel="noopener noreferrer" data-foo="bar" class="externalLink" href="https://gitlab.com">https://gitlab.com') expect(link).to include('data-testid="external-link-icon"') end + + it 'sanitizes and returns external link with icon' do + link = external_link('sanitized link content', 'javascript:alert()').to_s + expect(link).not_to include('href="javascript:alert()"') + expect(link).to start_with('<a target="_blank" rel="noopener noreferrer">sanitized link content') + expect(link).to include('data-testid="external-link-icon"') + end end diff --git a/spec/helpers/icons_helper_spec.rb b/spec/helpers/icons_helper_spec.rb index 4784d0aff26..af2957d72c7 100644 --- a/spec/helpers/icons_helper_spec.rb +++ b/spec/helpers/icons_helper_spec.rb @@ -35,22 +35,22 @@ RSpec.describe IconsHelper do it 'returns svg icon html with DEFAULT_ICON_SIZE' do expect(sprite_icon(icon_name).to_s) - .to eq "<svg class=\"s#{IconsHelper::DEFAULT_ICON_SIZE}\" data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>" + .to eq "<svg class=\"s#{IconsHelper::DEFAULT_ICON_SIZE}\" data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>" end it 'returns svg icon html without size class' do expect(sprite_icon(icon_name, size: nil).to_s) - .to eq "<svg data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>" + .to eq "<svg data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>" end it 'returns svg icon html + size classes' do expect(sprite_icon(icon_name, size: 72).to_s) - .to eq "<svg class=\"s72\" data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>" + .to eq "<svg class=\"s72\" data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>" end it 'returns svg icon html + size classes + additional class' do expect(sprite_icon(icon_name, size: 72, css_class: 'icon-danger').to_s) - .to eq "<svg class=\"s72 icon-danger\" data-testid=\"#{icon_name}-icon\"><use xlink:href=\"#{icons_path}##{icon_name}\"></use></svg>" + .to eq "<svg class=\"s72 icon-danger\" data-testid=\"#{icon_name}-icon\"><use href=\"#{icons_path}##{icon_name}\"></use></svg>" end describe 'non existing icon' do |