1 files changed, 60 insertions, 0 deletions

diff --git a/spec/javascripts/notes/components/note_awards_list_spec.js b/spec/javascripts/notes/components/note_awards_list_spec.js
index ede541a5247..90aa1684272 100644
--- a/spec/javascripts/notes/components/note_awards_list_spec.js
+++ b/spec/javascripts/notes/components/note_awards_list_spec.js
@@ -61,6 +61,66 @@ describe('note_awards_list component', () => {
     expect(vm.$el.querySelector('.js-add-award')).toBeDefined();
   });
 
+  describe('when the user name contains special HTML characters', () => {
+    const createAwardEmoji = (_, index) => ({
+      name: 'art',
+      user: { id: index, name: `&<>"\`'-${index}`, username: `user-${index}` },
+    });
+
+    const mountComponent = () => {
+      const Component = Vue.extend(awardsNote);
+      vm = new Component({
+        store,
+        propsData: {
+          awards: awardsMock,
+          noteAuthorId: 0,
+          noteId: '545',
+          canAwardEmoji: true,
+          toggleAwardPath: '/gitlab-org/gitlab-foss/notes/545/toggle_award_emoji',
+        },
+      }).$mount();
+    };
+
+    const findTooltip = () =>
+      vm.$el.querySelector('[data-original-title]').getAttribute('data-original-title');
+
+    it('should only escape & and " characters', () => {
+      awardsMock = [...new Array(1)].map(createAwardEmoji);
+      mountComponent();
+      const escapedName = awardsMock[0].user.name.replace(/&/g, '&amp;').replace(/"/g, '&quot;');
+
+      expect(vm.$el.querySelector('[data-original-title]').outerHTML).toContain(escapedName);
+    });
+
+    it('should not escape special HTML characters twice when only 1 person awarded', () => {
+      awardsMock = [...new Array(1)].map(createAwardEmoji);
+      mountComponent();
+
+      awardsMock.forEach(award => {
+        expect(findTooltip()).toContain(award.user.name);
+      });
+    });
+
+    it('should not escape special HTML characters twice when 2 people awarded', () => {
+      awardsMock = [...new Array(2)].map(createAwardEmoji);
+      mountComponent();
+
+      awardsMock.forEach(award => {
+        expect(findTooltip()).toContain(award.user.name);
+      });
+    });
+
+    it('should not escape special HTML characters twice when more than 10 people awarded', () => {
+      awardsMock = [...new Array(11)].map(createAwardEmoji);
+      mountComponent();
+
+      // Testing only the first 10 awards since 11 onward will not be displayed.
+      awardsMock.slice(0, 10).forEach(award => {
+        expect(findTooltip()).toContain(award.user.name);
+      });
+    });
+  });
+
   describe('when the user cannot award emoji', () => {
     beforeEach(() => {
       const Component = Vue.extend(awardsNote);