osr-plastic/osr-discourse-src
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
This repository has been archived on 2023-03-18. You can view files and clone it, but cannot push or open issues or pull requests.
ccf1cd0ca6
osr-discourse-src/app/assets/javascripts/discourse/tests/unit/controllers/history-test.js
Robin Ward 61f5d501cb
DEV: Migrate to Ember CLI (#11932) 
This encompasses a lot of work done over the last year, much of which
has already been merged into master. This is the final set of changes
required to get Ember CLI running locally for development.

From here on it will be bug fixes / enhancements.

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
Co-authored-by: romanrizzi <rizziromanalejandro@gmail.com>

Co-authored-by: Jarek Radosz <jradosz@gmail.com>
Co-authored-by: romanrizzi <rizziromanalejandro@gmail.com>
2021-02-03 14:22:20 -05:00

119 lines
4.1 KiB
JavaScript
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

import { discourseModule } from "discourse/tests/helpers/qunit-helpers";
import { test } from "qunit";
discourseModule("Unit | Controller | history", function () {
test("displayEdit", async function (assert) {
const HistoryController = this.getController("history");
HistoryController.setProperties({
model: { last_revision: 3, current_revision: 3, can_edit: false },
topicController: {},
});
assert.equal(
HistoryController.get("displayEdit"),
false,
"it should not display edit button when user cannot edit the post"
);
HistoryController.set("model.can_edit", true);
assert.equal(
HistoryController.get("displayEdit"),
true,
"it should display edit button when user can edit the post"
);
HistoryController.set("topicController", null);
assert.equal(
HistoryController.get("displayEdit"),
false,
"it should not display edit button when there is not topic controller"
);
HistoryController.set("topicController", {});
HistoryController.set("model.current_revision", 2);
assert.equal(
HistoryController.get("displayEdit"),
false,
"it should only display the edit button on the latest revision"
);
const html = `<div class="revision-content">
<p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt="" class="diff-del"><img/src=x onerror=alert(document.domain)>" width="276" height="183"></p>
</div>
<aside class="onebox allowlistedgeneric">
<header class="source">
<img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
<a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta 9 Aug 19</a>
</header>
<article class="onebox-body">
<img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
<h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
<div style="clear: both"></div>
</article>
</aside>
<table background="javascript:alert(\"HACKEDXSS\")">
<thead>
<tr>
<th>Column</th>
<th style="text-align:left">Test</th>
</tr>
</thead>
<tbody>
<tr>
<td background="javascript:alert('HACKEDXSS')">Osama</td>
<td style="text-align:right">Testing</td>
</tr>
</tbody>
</table>`;
const expectedOutput = `<div class="revision-content">
<p><img src="/uploads/default/original/1X/6b963ffc13cb0c053bbb90c92e99d4fe71b286ef.jpg" alt class="diff-del">" width="276" height="183"&gt;</p>
</div>
<aside class="onebox allowlistedgeneric">
<header class="source">
<img src="/uploads/default/original/1X/1b0984d7ee08bce90572f46a1950e1ced436d028.png" class="site-icon" width="32" height="32">
<a href="https://meta.discourse.org/t/discourse-version-2-5/125302">Discourse Meta 9 Aug 19</a>
</header>
<article class="onebox-body">
<img src="/uploads/default/optimized/1X/ecc92a52ee7353e03d5c0d1ea6521ce4541d9c25_2_500x500.png" class="thumbnail onebox-avatar d-lazyload" width="500" height="500">
<h3><a href="https://meta.discourse.org/t/discourse-version-2-5/125302" target="_blank">Discourse Version 2.5</a></h3>
<div style="clear: both"></div>
</article>
</aside>
<table>
<thead>
<tr>
<th>Column</th>
<th style="text-align:left">Test</th>
</tr>
</thead>
<tbody>
<tr>
<td>Osama</td>
<td style="text-align:right">Testing</td>
</tr>
</tbody>
</table>`;
HistoryController.setProperties({
viewMode: "side_by_side",
model: {
body_changes: {
side_by_side: html,
},
},
});
await HistoryController.bodyDiffChanged();
const output = HistoryController.get("bodyDiff");
assert.equal(
output,
expectedOutput,
"it keeps HTML safe and doesn't strip onebox tags"
);
});
});
Reference in New Issue View Git Blame Copy Permalink