Add failing test for XSS in mermaid diagrams

(cherry picked from commit fdea799d37ae9ca3f5e80f191a55be543a79857a)

Add failing test for XSS in mermaid diagrams
58161315 · Winnie Hellmann · d88c4710 · 58161315 · 58161315
Commit 58161315 authored 6 years ago by Winnie Hellmann
--- a/spec/features/issues/user_comments_on_issue_spec.rb
+++ b/spec/features/issues/user_comments_on_issue_spec.rb
@@ -40,6 +40,18 @@ describe "User comments on issue", :js do
  
      expect(page.find('pre code').text).to eq code_block_content
    end
+
+    it "does not render html content in mermaid" do
+      html_content = "<img onerror=location=`javascript\\u003aalert\\u0028document.domain\\u0029` src=x>"
+      mermaid_content = "graph LR\n  B-->D(#{html_content});"
+      comment = "```mermaid\n#{mermaid_content}\n```"
+
+      add_note(comment)
+
+      wait_for_requests
+
+      expect(page.find('svg.mermaid')).to have_content html_content
+    end
  end
  
  context "when editing comments" do

--- a/spec/features/markdown/mermaid_spec.rb
+++ b/spec/features/markdown/mermaid_spec.rb
@@ -18,7 +18,7 @@ describe 'Mermaid rendering', :js do
    visit project_issue_path(project, issue)
  
    %w[A B C D].each do |label|
-      expect(page).to have_selector('svg foreignObject', text: label)
+      expect(page).to have_selector('svg text', text: label)
    end
  end
 end