summaryrefslogtreecommitdiff
path: root/spec/helpers/gitlab_script_tag_helper_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/helpers/gitlab_script_tag_helper_spec.rb')
-rw-r--r--spec/helpers/gitlab_script_tag_helper_spec.rb44
1 files changed, 44 insertions, 0 deletions
diff --git a/spec/helpers/gitlab_script_tag_helper_spec.rb b/spec/helpers/gitlab_script_tag_helper_spec.rb
new file mode 100644
index 00000000000..37413b9b1c2
--- /dev/null
+++ b/spec/helpers/gitlab_script_tag_helper_spec.rb
@@ -0,0 +1,44 @@
+# frozen_string_literal: true
+
+require 'spec_helper'
+
+RSpec.describe GitlabScriptTagHelper do
+ before do
+ allow(helper).to receive(:content_security_policy_nonce).and_return('noncevalue')
+ end
+
+ describe 'external script tag' do
+ let(:script_url) { 'test.js' }
+
+ it 'returns a script tag with defer=true and a nonce' do
+ expect(helper.javascript_include_tag(script_url).to_s)
+ .to eq "<script src=\"/javascripts/#{script_url}\" defer=\"defer\" nonce=\"noncevalue\"></script>"
+ end
+ end
+
+ describe 'inline script tag' do
+ let(:tag_with_nonce) {"<script nonce=\"noncevalue\">\n//<![CDATA[\nalert(1)\n//]]>\n</script>"}
+ let(:tag_with_nonce_and_type) {"<script type=\"application/javascript\" nonce=\"noncevalue\">\n//<![CDATA[\nalert(1)\n//]]>\n</script>"}
+
+ it 'returns a script tag with a nonce using block syntax' do
+ expect(helper.javascript_tag { 'alert(1)' }.to_s).to eq tag_with_nonce
+ end
+
+ it 'returns a script tag with a nonce using block syntax with options' do
+ expect(helper.javascript_tag(type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type
+ end
+
+ it 'returns a script tag with a nonce using argument syntax' do
+ expect(helper.javascript_tag('alert(1)').to_s).to eq tag_with_nonce
+ end
+
+ it 'returns a script tag with a nonce using argument syntax with options' do
+ expect(helper.javascript_tag( 'alert(1)', type: 'application/javascript').to_s).to eq tag_with_nonce_and_type
+ end
+
+ # This scenario does not really make sense, but it's supported so we test it
+ it 'returns a script tag with a nonce using argument and block syntax with options' do
+ expect(helper.javascript_tag( '// ignored', type: 'application/javascript') { 'alert(1)' }.to_s).to eq tag_with_nonce_and_type
+ end
+ end
+end
View Lorry Controller Status