summaryrefslogtreecommitdiff
path: root/spec/helpers/diff_helper_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/helpers/diff_helper_spec.rb')
-rw-r--r--spec/helpers/diff_helper_spec.rb30
1 files changed, 28 insertions, 2 deletions
diff --git a/spec/helpers/diff_helper_spec.rb b/spec/helpers/diff_helper_spec.rb
index 15cbe36ae76..53c010fa0db 100644
--- a/spec/helpers/diff_helper_spec.rb
+++ b/spec/helpers/diff_helper_spec.rb
@@ -135,11 +135,37 @@ describe DiffHelper do
it "returns strings with marked inline diffs" do
marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
- expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">'def'</span>})
+ expect(marked_old_line).to eq(%q{abc <span class="idiff left right deletion">&#39;def&#39;</span>})
expect(marked_old_line).to be_html_safe
- expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">"def"</span>})
+ expect(marked_new_line).to eq(%q{abc <span class="idiff left right addition">&quot;def&quot;</span>})
expect(marked_new_line).to be_html_safe
end
+
+ context 'when given HTML' do
+ it 'sanitizes it' do
+ old_line = %{test.txt}
+ new_line = %{<img src=x onerror=alert(document.domain)>}
+
+ marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
+
+ expect(marked_old_line).to eq(%q{<span class="idiff left right deletion">test.txt</span>})
+ expect(marked_old_line).to be_html_safe
+ expect(marked_new_line).to eq(%q{<span class="idiff left right addition">&lt;img src=x onerror=alert(document.domain)&gt;</span>})
+ expect(marked_new_line).to be_html_safe
+ end
+
+ it 'sanitizes the entire line, not just the changes' do
+ old_line = %{<img src=x onerror=alert(document.domain)>}
+ new_line = %{<img src=y onerror=alert(document.domain)>}
+
+ marked_old_line, marked_new_line = mark_inline_diffs(old_line, new_line)
+
+ expect(marked_old_line).to eq(%q{&lt;img src=<span class="idiff left right deletion">x</span> onerror=alert(document.domain)&gt;})
+ expect(marked_old_line).to be_html_safe
+ expect(marked_new_line).to eq(%q{&lt;img src=<span class="idiff left right addition">y</span> onerror=alert(document.domain)&gt;})
+ expect(marked_new_line).to be_html_safe
+ end
+ end
end
describe '#parallel_diff_discussions' do
View Lorry Controller Status