require 'spec_helper' require 'nokogiri' module Gitlab describe Asciidoc, lib: true do let(:input) { 'ascii' } let(:context) { {} } let(:html) { 'H2O' } context "without project" do before do allow_any_instance_of(ApplicationSetting).to receive(:current).and_return(::ApplicationSetting.create_from_defaults) end it "converts the input using Asciidoctor and default options" do expected_asciidoc_opts = { safe: :secure, backend: :gitlab_html5, attributes: described_class::DEFAULT_ADOC_ATTRS } expect(Asciidoctor).to receive(:convert) .with(input, expected_asciidoc_opts).and_return(html) expect(render(input, context)).to eq(html) end context "with asciidoc_opts" do it "merges the options with default ones" do expected_asciidoc_opts = { safe: :secure, backend: :gitlab_html5, attributes: described_class::DEFAULT_ADOC_ATTRS } expect(Asciidoctor).to receive(:convert) .with(input, expected_asciidoc_opts).and_return(html) render(input, context) end end context "XSS" do links = { 'links' => { input: 'link:mylink"onmouseover="alert(1)[Click Here]', output: "
\n

Click Here

\n
" }, 'images' => { input: 'image:https://localhost.com/image.png[Alt text" onerror="alert(7)]', output: "\"Alt" }, 'pre' => { input: '```mypre">', output: "
\n
\n
\">
\n
\n
" } } links.each do |name, data| it "does not convert dangerous #{name} into HTML" do expect(render(data[:input], context)).to include(data[:output]) end end end context 'external links' do it 'adds the `rel` attribute to the link' do output = render('link:https://google.com[Google]', context) expect(output).to include('rel="nofollow noreferrer noopener"') end end end def render(*args) described_class.render(*args) end end end