Merge branch '32908-edit-comment' into 'master'
Escapes html content before appending it to the DOM See merge request !2105
This commit is contained in:
commit
0a6ee7ceca
3 changed files with 45 additions and 2 deletions
|
@ -1398,7 +1398,7 @@ const normalizeNewlines = function(str) {
|
|||
const cachedNoteBodyText = $noteBodyText.html();
|
||||
|
||||
// Show updated comment content temporarily
|
||||
$noteBodyText.html(formContent);
|
||||
$noteBodyText.html(_.escape(formContent));
|
||||
$editingNote.removeClass('is-editing fade-in-full').addClass('being-posted fade-in-half');
|
||||
$editingNote.find('.note-headline-meta a').html('<i class="fa fa-spinner fa-spin" aria-label="Comment is being updated" aria-hidden="true"></i>');
|
||||
|
||||
|
@ -1411,7 +1411,7 @@ const normalizeNewlines = function(str) {
|
|||
})
|
||||
.fail(() => {
|
||||
// Submission failed, revert back to original note
|
||||
$noteBodyText.html(cachedNoteBodyText);
|
||||
$noteBodyText.html(_.escape(cachedNoteBodyText));
|
||||
$editingNote.removeClass('being-posted fade-in');
|
||||
$editingNote.find('.fa.fa-spinner').remove();
|
||||
|
||||
|
|
4
changelogs/unreleased/32908-edit-comment.yml
Normal file
4
changelogs/unreleased/32908-edit-comment.yml
Normal file
|
@ -0,0 +1,4 @@
|
|||
---
|
||||
title: Escapes html content before appending it to the DOM
|
||||
merge_request:
|
||||
author:
|
|
@ -443,6 +443,45 @@ import '~/notes';
|
|||
});
|
||||
});
|
||||
|
||||
describe('update comment with script tags', () => {
|
||||
const sampleComment = '<script></script>';
|
||||
const updatedComment = '<script></script>';
|
||||
const note = {
|
||||
id: 1234,
|
||||
html: `<li class="note note-row-1234 timeline-entry" id="note_1234">
|
||||
<div class="note-text">${sampleComment}</div>
|
||||
</li>`,
|
||||
note: sampleComment,
|
||||
valid: true
|
||||
};
|
||||
let $form;
|
||||
let $notesContainer;
|
||||
|
||||
beforeEach(() => {
|
||||
this.notes = new Notes('', []);
|
||||
window.gon.current_username = 'root';
|
||||
window.gon.current_user_fullname = 'Administrator';
|
||||
$form = $('form.js-main-target-form');
|
||||
$notesContainer = $('ul.main-notes-list');
|
||||
$form.find('textarea.js-note-text').html(sampleComment);
|
||||
});
|
||||
|
||||
it('should not render a script tag', () => {
|
||||
const deferred = $.Deferred();
|
||||
spyOn($, 'ajax').and.returnValue(deferred.promise());
|
||||
$('.js-comment-button').click();
|
||||
|
||||
deferred.resolve(note);
|
||||
const $noteEl = $notesContainer.find(`#note_${note.id}`);
|
||||
$noteEl.find('.js-note-edit').click();
|
||||
$noteEl.find('textarea.js-note-text').html(updatedComment);
|
||||
$noteEl.find('.js-comment-save-button').click();
|
||||
|
||||
const $updatedNoteEl = $notesContainer.find(`#note_${note.id}`).find('.js-task-list-container');
|
||||
expect($updatedNoteEl.find('.note-text').text().trim()).toEqual('');
|
||||
});
|
||||
});
|
||||
|
||||
describe('getFormData', () => {
|
||||
it('should return form metadata object from form reference', () => {
|
||||
this.notes = new Notes('', []);
|
||||
|
|
Loading…
Reference in a new issue