summaryrefslogtreecommitdiff
path: root/spec/requests/jira_connect/users_controller_spec.rb
diff options
context:
space:
mode:
Diffstat (limited to 'spec/requests/jira_connect/users_controller_spec.rb')
-rw-r--r--spec/requests/jira_connect/users_controller_spec.rb11
1 files changed, 11 insertions, 0 deletions
diff --git a/spec/requests/jira_connect/users_controller_spec.rb b/spec/requests/jira_connect/users_controller_spec.rb
index c648d28c1bc..6e927aaba91 100644
--- a/spec/requests/jira_connect/users_controller_spec.rb
+++ b/spec/requests/jira_connect/users_controller_spec.rb
@@ -31,5 +31,16 @@ RSpec.describe JiraConnect::UsersController do
expect(response.body).not_to include('Return to GitLab')
end
end
+
+ context 'with a script injected' do
+ let(:return_to) { 'javascript://test.atlassian.net/%250dalert(document.domain)' }
+
+ it 'does not include a return url' do
+ get '/-/jira_connect/users', params: { return_to: return_to }
+
+ expect(response).to have_gitlab_http_status(:ok)
+ expect(response.body).not_to include('Return to GitLab')
+ end
+ end
end
end
View Lorry Controller Status