Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
G
gitlab-ce
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
1
Merge Requests
1
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
nexedi
gitlab-ce
Commits
c2d36027
Commit
c2d36027
authored
Jul 22, 2019
by
GitLab Bot
Browse files
Options
Browse Files
Download
Plain Diff
Automatic merge of gitlab-org/gitlab-ce master
parents
710599bd
53547792
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
12 additions
and
2 deletions
+12
-2
qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb
...es/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb
+12
-2
No files found.
qa/qa/specs/features/browser_ui/2_plan/issue/check_mentions_for_xss_spec.rb
View file @
c2d36027
...
@@ -4,14 +4,24 @@ module QA
...
@@ -4,14 +4,24 @@ module QA
context
'Plan'
do
context
'Plan'
do
describe
'check xss occurence in @mentions in issues'
do
describe
'check xss occurence in @mentions in issues'
do
before
do
before
do
Runtime
::
Browser
.
visit
(
:gitlab
,
Page
::
Main
::
Login
)
QA
::
Runtime
::
Env
.
personal_access_token
=
QA
::
Runtime
::
Env
.
admin_personal_access_token
Page
::
Main
::
Login
.
perform
(
&
:sign_in_using_credentials
)
unless
QA
::
Runtime
::
Env
.
personal_access_token
Runtime
::
Browser
.
visit
(
:gitlab
,
Page
::
Main
::
Login
)
Page
::
Main
::
Login
.
perform
(
&
:sign_in_using_admin_credentials
)
end
user
=
Resource
::
User
.
fabricate_via_api!
do
|
user
|
user
=
Resource
::
User
.
fabricate_via_api!
do
|
user
|
user
.
name
=
"eve <img src=x onerror=alert(2)<img src=x onerror=alert(1)>"
user
.
name
=
"eve <img src=x onerror=alert(2)<img src=x onerror=alert(1)>"
user
.
password
=
"test1234"
user
.
password
=
"test1234"
end
end
QA
::
Runtime
::
Env
.
personal_access_token
=
nil
Page
::
Main
::
Menu
.
perform
(
&
:sign_out
)
if
Page
::
Main
::
Menu
.
perform
{
|
p
|
p
.
has_personal_area?
(
wait:
0
)
}
Page
::
Main
::
Login
.
perform
(
&
:sign_in_using_credentials
)
project
=
Resource
::
Project
.
fabricate_via_api!
do
|
resource
|
project
=
Resource
::
Project
.
fabricate_via_api!
do
|
resource
|
resource
.
name
=
'xss-test-for-mentions-project'
resource
.
name
=
'xss-test-for-mentions-project'
end
end
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment