diff options
Diffstat (limited to 'spec/lib/gitlab/emoji_spec.rb')
-rw-r--r-- | spec/lib/gitlab/emoji_spec.rb | 11 |
1 files changed, 10 insertions, 1 deletions
diff --git a/spec/lib/gitlab/emoji_spec.rb b/spec/lib/gitlab/emoji_spec.rb index ada37f25d1e..8f855489c12 100644 --- a/spec/lib/gitlab/emoji_spec.rb +++ b/spec/lib/gitlab/emoji_spec.rb @@ -91,7 +91,16 @@ RSpec.describe Gitlab::Emoji do it 'returns emoji image tag' do emoji_image = described_class.emoji_image_tag('emoji_one', 'src_url') - expect(emoji_image).to eq( "<img class='emoji' title=':emoji_one:' alt=':emoji_one:' src='src_url' height='20' width='20' align='absmiddle' />") + expect(emoji_image).to eq("<img class=\"emoji\" src=\"src_url\" title=\":emoji_one:\" alt=\":emoji_one:\" height=\"20\" width=\"20\" align=\"absmiddle\" />") + end + + it 'escapes emoji image attrs to prevent XSS' do + xss_payload = "<script>alert(1)</script>" + escaped_xss_payload = html_escape(xss_payload) + + emoji_image = described_class.emoji_image_tag(xss_payload, 'http://aaa#' + xss_payload) + + expect(emoji_image).to eq("<img class=\"emoji\" src=\"http://aaa##{escaped_xss_payload}\" title=\":#{escaped_xss_payload}:\" alt=\":#{escaped_xss_payload}:\" height=\"20\" width=\"20\" align=\"absmiddle\" />") end end |