diff options
author | unarist <m.unarist@gmail.com> | 2017-09-17 04:33:52 +0900 |
---|---|---|
committer | Eugen Rochko <eugen@zeonfederated.com> | 2017-09-16 21:33:52 +0200 |
commit | ec36df97c4ea3da4bc177a96050c54cf8f35ba25 (patch) | |
tree | 93e6e8172fc06de2e43df6c0bbf5c2788a576e61 /spec/lib | |
parent | c8969dca3581cb82c5787f37bb4022f7af74cd15 (diff) |
Escape URL parts on formatting local status (#4975)
Diffstat (limited to 'spec/lib')
-rw-r--r-- | spec/lib/formatter_spec.rb | 16 |
1 files changed, 16 insertions, 0 deletions
diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index f9b7efac5..b714b317a 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -121,6 +121,22 @@ RSpec.describe Formatter do end end + context 'contains unsafe URL (XSS attack, visible part)' do + let(:text) { %q{http://example.com/b<del>b</del>} } + + it 'has escaped HTML' do + is_expected.to include '<del>b</del>' + end + end + + context 'contains unsafe URL (XSS attack, invisible part)' do + let(:text) { %q{http://example.com/blahblahblahblah/a<script>alert("Hello")</script>} } + + it 'has escaped HTML' do + is_expected.to include '<script>alert("Hello")</script>' + end + end + context 'contains HTML (script tag)' do let(:text) { '<script>alert("Hello")</script>' } |