From ec36df97c4ea3da4bc177a96050c54cf8f35ba25 Mon Sep 17 00:00:00 2001 From: unarist Date: Sun, 17 Sep 2017 04:33:52 +0900 Subject: Escape URL parts on formatting local status (#4975) --- spec/lib/formatter_spec.rb | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) (limited to 'spec/lib') diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index f9b7efac5..b714b317a 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -121,6 +121,22 @@ RSpec.describe Formatter do end end + context 'contains unsafe URL (XSS attack, visible part)' do + let(:text) { %q{http://example.com/bb} } + + it 'has escaped HTML' do + is_expected.to include '<del>b</del>' + end + end + + context 'contains unsafe URL (XSS attack, invisible part)' do + let(:text) { %q{http://example.com/blahblahblahblah/a} } + + it 'has escaped HTML' do + is_expected.to include '<script>alert("Hello")</script>' + end + end + context 'contains HTML (script tag)' do let(:text) { '' } -- cgit