Commit 08bab4bb authored by Robert Speicher's avatar Robert Speicher

Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'

Escape HTML nodes in builds commands in ci linter

This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view.

Closes #22541

See merge request !2001
parents a4cddd81 528b988a
......@@ -16,8 +16,7 @@
%tr
%td #{stage.capitalize} Job - #{build[:name]}
%td
%pre
= simple_format build[:commands]
%pre= build[:commands]
%br
%b Tag list:
......
require 'spec_helper'
describe 'ci/lints/show' do
include Devise::TestHelpers
before do
assign(:status, true)
assign(:stages, %w[test])
assign(:builds, builds)
end
context 'when builds attrbiutes contain HTML nodes' do
let(:builds) do
[ { name: 'rspec', stage: 'test', commands: '<h1>rspec</h1>' } ]
end
it 'does not render HTML elements' do
render
expect(rendered).not_to have_css('h1', text: 'rspec')
end
end
context 'when builds attributes do not contain HTML nodes' do
let(:builds) do
[ { name: 'rspec', stage: 'test', commands: 'rspec' } ]
end
it 'shows configuration in the table' do
render
expect(rendered).to have_css('td pre', text: 'rspec')
end
end
end
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment