mirror of
https://github.com/discourse/discourse.git
synced 2025-05-23 11:41:03 +08:00
a373bf2a01
Non-markdown tags weren't being escaped in chat excerpts. This could be triggered by editing a chat message containing a tag (self XSS), or by replying to a chat message with a tag (XSS). Co-authored-by: Jan Cernik <jancernik12@gmail.com>
30 lines
986 B
JavaScript
30 lines
986 B
JavaScript
import { module, test } from "qunit";
|
|
import { setupRenderingTest } from "discourse/tests/helpers/component-test";
|
|
import { render } from "@ember/test-helpers";
|
|
import { hbs } from "ember-cli-htmlbars";
|
|
|
|
module("Integration | Helper | replace-emoji", function (hooks) {
|
|
setupRenderingTest(hooks);
|
|
|
|
test("it replaces the emoji", async function (assert) {
|
|
await render(hbs`<span>{{replace-emoji "some text :heart:"}}</span>`);
|
|
|
|
assert.dom(`span`).includesText("some text");
|
|
assert.dom(`.emoji[title="heart"]`).exists();
|
|
});
|
|
|
|
test("it escapes the text", async function (assert) {
|
|
await render(
|
|
hbs`<span>{{replace-emoji "<style>body: {background: red;}</style>"}}</span>`
|
|
);
|
|
|
|
assert.dom(`span`).hasText("<style>body: {background: red;}</style>");
|
|
});
|
|
|
|
test("it renders html-safe text", async function (assert) {
|
|
await render(hbs`<span>{{replace-emoji (html-safe "safe text")}}</span>`);
|
|
|
|
assert.dom(`span`).hasText("safe text");
|
|
});
|
|
});
|