Jarek Radosz
d407bcab36
* FIX: Correctly escape category description text
This bug has been introduced in db14e10943.
* Remove unnecessary `html_safe`
`Theme.lookup_field` already returns html-safe strings: https://github.com/discourse/discourse/blob/7ad338e3e6dee158cd704e7e62395bf5df835f7f/app/models/theme.rb#L237-L242
* Rename `description` where it's acutally `descriptionText`
25 lines
730 B
Ruby
25 lines
730 B
Ruby
# frozen_string_literal: true
|
|
|
|
require 'rails_helper'
|
|
require 'category_badge'
|
|
|
|
describe CategoryBadge do
|
|
it "escapes HTML in category names / descriptions" do
|
|
c = Fabricate(:category, name: '<b>name</b>', description: '<b>title</b>')
|
|
|
|
html = CategoryBadge.html_for(c)
|
|
|
|
expect(html).not_to include("<b>title</b>")
|
|
expect(html).not_to include("<b>name</b>")
|
|
expect(html).to include(ERB::Util.html_escape("<b>name</b>"))
|
|
expect(html).to include("title='title'")
|
|
end
|
|
|
|
it "escapes code block contents" do
|
|
c = Fabricate(:category, description: '<code>\' <b id="x"></code>')
|
|
html = CategoryBadge.html_for(c)
|
|
|
|
expect(html).to include("title='' <b id="x">'")
|
|
end
|
|
end
|