mirror of
https://github.com/discourse/discourse.git
synced 2024-11-23 01:16:38 -06:00
aa4ff47208
This change adds `target` to the set of attributes allowed by the HTML sanitizer which is applied to the description of a user_field. The rationale for this change: * If one puts a link (<a>...</a>) in the description of a user_field that is present and/or required at sign-up, the expectation is that a prospective new user will click on that link during sign-up. * Without an appropriate `target` attribute on the link, the new page will be loaded in the same window/tab as the sign-up form, but this will obliterate any fields that the user had already filled-out on the form. (E.g., hitting the back-button will return to an empty form.) * Such UX behavior is incredibly aggravating to new users. This change allows an admin to add a `target` attribute to links, to instruct the browser to open them in a different window/tab, leaving a sign-up form intact.
32 lines
995 B
Ruby
32 lines
995 B
Ruby
# frozen_string_literal: true
|
|
|
|
RSpec.describe UserField do
|
|
describe "doesn't validate presence of name if field type is 'confirm'" do
|
|
subject { described_class.new(field_type: 'confirm') }
|
|
it { is_expected.not_to validate_presence_of :name }
|
|
end
|
|
|
|
describe "validates presence of name for other field types" do
|
|
subject { described_class.new(field_type: 'dropdown') }
|
|
it { is_expected.to validate_presence_of :name }
|
|
end
|
|
|
|
it 'sanitizes the description' do
|
|
xss = "<b onmouseover=alert('Wufff!')>click me!</b><script>alert('TEST');</script>"
|
|
user_field = Fabricate(:user_field)
|
|
|
|
user_field.update!(description: xss)
|
|
|
|
expect(user_field.description).to eq("<b>click me!</b>alert('TEST');")
|
|
end
|
|
|
|
it 'allows target attribute in the description' do
|
|
link = "<a target=\"_blank\" href=\"/elsewhere\">elsewhere</a>"
|
|
user_field = Fabricate(:user_field)
|
|
|
|
user_field.update!(description: link)
|
|
|
|
expect(user_field.description).to eq(link)
|
|
end
|
|
end
|