diff options
Diffstat (limited to 'spec/features/projects/wiki')
-rw-r--r-- | spec/features/projects/wiki/user_updates_wiki_page_spec.rb | 10 | ||||
-rw-r--r-- | spec/features/projects/wiki/user_views_wiki_page_spec.rb | 12 |
2 files changed, 17 insertions, 5 deletions
diff --git a/spec/features/projects/wiki/user_updates_wiki_page_spec.rb b/spec/features/projects/wiki/user_updates_wiki_page_spec.rb index 3f3711f9eb8..d3a0c9b790b 100644 --- a/spec/features/projects/wiki/user_updates_wiki_page_spec.rb +++ b/spec/features/projects/wiki/user_updates_wiki_page_spec.rb @@ -83,15 +83,15 @@ describe 'User updates wiki page' do end it 'updates the commit message as the title is changed', :js do - fill_in(:wiki_title, with: 'Wiki title') + fill_in(:wiki_title, with: '& < > \ \ { } &') - expect(page).to have_field('wiki[message]', with: 'Update Wiki title') + expect(page).to have_field('wiki[message]', with: 'Update & < > \ \ { } &') end - it 'does not allow XSS', :js do - fill_in(:wiki_title, with: '<script>') + it 'correctly escapes the commit message entities', :js do + fill_in(:wiki_title, with: 'Wiki title') - expect(page).to have_field('wiki[message]', with: 'Update <script>') + expect(page).to have_field('wiki[message]', with: 'Update Wiki title') end it 'shows a validation error message' do diff --git a/spec/features/projects/wiki/user_views_wiki_page_spec.rb b/spec/features/projects/wiki/user_views_wiki_page_spec.rb index 77e725e7f11..c7856342fb2 100644 --- a/spec/features/projects/wiki/user_views_wiki_page_spec.rb +++ b/spec/features/projects/wiki/user_views_wiki_page_spec.rb @@ -129,6 +129,18 @@ describe 'User views a wiki page' do end end + context 'when a page has XSS in its message' do + before do + wiki_page.update(message: '<script>alert(true)<script>', content: 'XSS update') + end + + it 'safely displays the message' do + visit(project_wiki_history_path(project, wiki_page)) + + expect(page).to have_content('<script>alert(true)<script>') + end + end + context 'when page has invalid content encoding' do let(:content) { (+'whatever').force_encoding('ISO-8859-1') } |