Commit afc5a516 authored by Robert Speicher's avatar Robert Speicher Committed by Rémy Coutable

Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'

Escape HTML nodes in builds commands in ci linter

This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.

Closes #22541

See merge request !2001
Signed-off-by: default avatarRémy Coutable <remy@rymai.me>
parent b7a6ad82
......@@ -4,6 +4,7 @@ v 8.10.11
- Respect the fork_project permission when forking projects
- Set a restrictive CORS policy on the API for credentialed requests
- API: disable rails session auth for non-GET/HEAD requests
- Escape HTML nodes in builds commands in CI linter
v 8.10.10
- Allow the Rails cookie to be used for API authentication.
......
......@@ -16,8 +16,7 @@
%tr
%td #{stage.capitalize} Job - #{build[:name]}
%td
%pre
= simple_format build[:commands]
%pre= build[:commands]
%br
%b Tag list:
......
require 'spec_helper'
describe 'ci/lints/show' do
include Devise::TestHelpers
before do
assign(:status, true)
assign(:stages, %w[test])
assign(:builds, builds)
end
context 'when builds attrbiutes contain HTML nodes' do
let(:builds) do
[ { name: 'rspec', stage: 'test', commands: '<h1>rspec</h1>' } ]
end
it 'does not render HTML elements' do
render
expect(rendered).not_to have_css('h1', text: 'rspec')
end
end
context 'when builds attributes do not contain HTML nodes' do
let(:builds) do
[ { name: 'rspec', stage: 'test', commands: 'rspec' } ]
end
it 'shows configuration in the table' do
render
expect(rendered).to have_css('td pre', text: 'rspec')
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment