discourse/spec/lib/category_badge_spec.rb

# frozen_string_literal: true

require "category_badge"

RSpec.describe CategoryBadge do
  it "escapes HTML in category names / descriptions" do
    c = Fabricate(:category, name: "<b>name</b>", description: "<b>title</b>")

    html = CategoryBadge.html_for(c)

    expect(html).not_to include("<b>title</b>")
    expect(html).not_to include("<b>name</b>")
    expect(html).to include(ERB::Util.html_escape("<b>name</b>"))
    expect(html).to include("title='title'")
  end

  it "escapes code block contents" do
    c = Fabricate(:category, description: '<code>\' &lt;b id="x"&gt;</code>')
    html = CategoryBadge.html_for(c)

    expect(html).to include("title='&#x27; &lt;b id=&quot;x&quot;&gt;'")
  end
end
DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction 2019-04-29 19:27:42 -05:00			`# frozen_string_literal: true`

DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`require "category_badge"`
SECURITY: category badges should HTML escape names 2018-06-28 03:14:55 -05:00
Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277 2022-07-27 21:27:38 -05:00			`RSpec.describe CategoryBadge do`
SECURITY: category badges should HTML escape names 2018-06-28 03:14:55 -05:00			`it "escapes HTML in category names / descriptions" do`
DEV: Apply syntax_tree formatting to `spec/*` 2023-01-09 05:18:21 -06:00			`c = Fabricate(:category, name: "<b>name</b>", description: "<b>title</b>")`
SECURITY: category badges should HTML escape names 2018-06-28 03:14:55 -05:00
			`html = CategoryBadge.html_for(c)`

			`expect(html).not_to include("<b>title</b>")`
			`expect(html).not_to include("<b>name</b>")`
			`expect(html).to include(ERB::Util.html_escape("<b>name</b>"))`
			`expect(html).to include("title='title'")`
			`end`
FIX: Correctly escape category description text (#8107) * FIX: Correctly escape category description text This bug has been introduced in db14e10943aeb87f3a2e06f02ca788986f039077. * Remove unnecessary `html_safe` `Theme.lookup_field` already returns html-safe strings: https://github.com/discourse/discourse/blob/7ad338e3e6dee158cd704e7e62395bf5df835f7f/app/models/theme.rb#L237-L242 * Rename `description` where it's acutally `descriptionText` 2019-10-01 11:04:40 -05:00
			`it "escapes code block contents" do`
			`c = Fabricate(:category, description: '<code>\' <b id="x"></code>')`
			`html = CategoryBadge.html_for(c)`

			`expect(html).to include("title='' <b id="x">'")`
			`end`
SECURITY: category badges should HTML escape names 2018-06-28 03:14:55 -05:00			`end`