Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'

Escape HTML nodes in builds commands in ci linter This MR removes call to `simple_format` that behaves like `String#html_safe`, thus it passes unescaped HTML tags to the view. Closes #22541 See merge request !2001

Merge branch 'fix/escape-builds-commands-in-ci-linter' into 'security'
08bab4bb · Robert Speicher · a4cddd81 · 528b988a · 08bab4bb · 08bab4bb
Commit 08bab4bb authored Sep 28, 2016 by Robert Speicher
Show whitespace changes
Inline Side-by-side

Showing with 36 additions and 2 deletions

_create.html.haml app/views/ci/lints/_create.html.haml +1 -2

show.html.haml_spec.rb spec/views/ci/lints/show.html.haml_spec.rb +35 -0

No files found.
--- a/app/views/ci/lints/_create.html.haml
+++ b/app/views/ci/lints/_create.html.haml
@@ -16,8 +16,7 @@
            %tr
              %td #{stage.capitalize} Job - #{build[:name]}
              %td
-                %pre
+                %pre= build[:commands]
-                  = simple_format build[:commands]
                %br
                %b Tag list:

--- a/spec/views/ci/lints/show.html.haml_spec.rb
+++ b/spec/views/ci/lints/show.html.haml_spec.rb
+require 'spec_helper'
+describe 'ci/lints/show' do
+  include Devise::TestHelpers
+  before do
+    assign(:status, true)
+    assign(:stages, %w[test])
+    assign(:builds, builds)
+  end
+  context 'when builds attrbiutes contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: '<h1>rspec</h1>' } ]
+    end
+    it 'does not render HTML elements' do
+      render
+      expect(rendered).not_to have_css('h1', text: 'rspec')
+    end
+  end
+  context 'when builds attributes do not contain HTML nodes' do
+    let(:builds) do
+      [ { name: 'rspec', stage: 'test', commands: 'rspec' } ]
+    end
+    it 'shows configuration in the table' do
+      render
+      expect(rendered).to have_css('td pre', text: 'rspec')
+    end
+  end
+end