Merge branch 'security-user-name-html' into 'master'

Fix note author name rendering Closes #173 See merge request gitlab-org/security/gitlab!651

Merge branch 'security-user-name-html' into 'master'
Fix note author name rendering Closes #173 See merge request gitlab-org/security/gitlab!651
0e4e4b47 · GitLab Release Tools Bot · 124f3a2c · a5d4d3f7 · 0e4e4b47 · 0e4e4b47
Commit 0e4e4b47 authored Jun 29, 2020 by GitLab Release Tools Bot
3 changed files
--- a/app/views/shared/notes/_note.html.haml
+++ b/app/views/shared/notes/_note.html.haml
@@ -32,7 +32,7 @@
        .note-header-info
          %a{ href: user_path(note.author) }
            %span.note-header-author-name.bold
-              = sanitize(note.author.name)
+              = note.author.name
            = user_status(note.author)
            %span.note-headline-light
              = note.author.to_reference

--- a/changelogs/unreleased/security-user-name-html.yml
+++ b/changelogs/unreleased/security-user-name-html.yml
+---
+title: Fix note author name rendering
+merge_request:
+author:
+type: security
--- a/spec/features/snippets/notes_on_personal_snippets_spec.rb
+++ b/spec/features/snippets/notes_on_personal_snippets_spec.rb
@@ -5,15 +5,17 @@ require 'spec_helper'
 RSpec.describe 'Comments on personal snippets', :js do
  include NoteInteractionHelpers

-  let!(:user)    { create(:user) }
-  let!(:snippet) { create(:personal_snippet, :public) }
+  let_it_be(:snippet) { create(:personal_snippet, :public) }
+  let_it_be(:other_note) { create(:note_on_personal_snippet) }
+
+  let(:user_name) { 'Test User' }
+  let!(:user) { create(:user, name: user_name) }
  let!(:snippet_notes) do
    [
      create(:note_on_personal_snippet, noteable: snippet, author: user),
      create(:note_on_personal_snippet, noteable: snippet)
    ]
  end
-  let!(:other_note) { create(:note_on_personal_snippet) }

  before do
    stub_feature_flags(snippets_vue: false)
@@ -56,6 +58,26 @@ RSpec.describe 'Comments on personal snippets', :js do
        expect(page).to show_user_status(status)
      end
    end
+
+    it 'shows the author name' do
+      visit snippet_path(snippet)
+
+      within("#note_#{snippet_notes[0].id}") do
+        expect(page).to have_content(user_name)
+      end
+    end
+
+    context 'when the author name contains HTML' do
+      let(:user_name) { '<h1><a href="https://bad.link/malicious.exe" class="evil">Fake Content<img class="fake-icon" src="image.png"></a></h1>' }
+
+      it 'renders the name as plain text' do
+        visit snippet_path(snippet)
+
+        content = find("#note_#{snippet_notes[0].id} .note-header-author-name").text
+
+        expect(content).to eq user_name
+      end
+    end
  end

  context 'when submitting a note' do