Escape URL parts on formatting local status (#4975)

author: unarist <m.unarist@gmail.com> 2017-09-17 04:33:52 +0900
committer: Eugen Rochko <eugen@zeonfederated.com> 2017-09-16 21:33:52 +0200
commit: ec36df97c4ea3da4bc177a96050c54cf8f35ba25 (patch)
tree: 93e6e8172fc06de2e43df6c0bbf5c2788a576e61 /spec/lib/formatter_spec.rb
parent: c8969dca3581cb82c5787f37bb4022f7af74cd15 (diff)
1 files changed, 16 insertions, 0 deletions
diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb
index f9b7efac5..b714b317a 100644
--- a/spec/lib/formatter_spec.rb
+++ b/spec/lib/formatter_spec.rb
@@ -121,6 +121,22 @@ RSpec.describe Formatter do
       end
     end
 
+    context 'contains unsafe URL (XSS attack, visible part)' do
+      let(:text) { %q{http://example.com/b<del>b</del>} }
+
+      it 'has escaped HTML' do
+        is_expected.to include '&lt;del&gt;b&lt;/del&gt;'
+      end
+    end
+
+    context 'contains unsafe URL (XSS attack, invisible part)' do
+      let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} }
+
+      it 'has escaped HTML' do
+        is_expected.to include '&lt;script&gt;alert(&quot;Hello&quot;)&lt;/script&gt;'
+      end
+    end
+
     context 'contains HTML (script tag)' do
       let(:text) { '<script>alert("Hello")</script>' }
author	unarist <m.unarist@gmail.com>	2017-09-17 04:33:52 +0900
committer	Eugen Rochko <eugen@zeonfederated.com>	2017-09-16 21:33:52 +0200
commit	ec36df97c4ea3da4bc177a96050c54cf8f35ba25 (patch)
tree	93e6e8172fc06de2e43df6c0bbf5c2788a576e61 /spec/lib/formatter_spec.rb
parent	c8969dca3581cb82c5787f37bb4022f7af74cd15 (diff)