mirror of
https://github.com/discourse/discourse.git
synced 2024-12-16 01:33:43 +08:00
50 lines
1.7 KiB
Ruby
50 lines
1.7 KiB
Ruby
|
# frozen_string_literal: true
|
||
|
RSpec.describe "escaping of noscript content" do
|
||
|
def noscript_content
|
||
|
# Browsers do not parse the contents of noscript tags - they just look for the next string matching `</noscript>`
|
||
|
# Can't use nokogiri because it parses documents with the 'scripting flag' disabled, and therefore parses html inside noscript tags
|
||
|
noscript_content = response.body.scan(%r{<noscript.*?>(.*?)</noscript>}m).join("\n")
|
||
|
end
|
||
|
|
||
|
it "does not affect normal content" do
|
||
|
post = Fabricate(:post, raw: 'This is a post with an image <img alt="<Look at this!>">')
|
||
|
get post.url
|
||
|
|
||
|
expect(noscript_content).to include('<img alt="<Look at this!>">')
|
||
|
end
|
||
|
|
||
|
it "escapes noscript in attribute" do
|
||
|
post =
|
||
|
Fabricate(
|
||
|
:post,
|
||
|
raw: 'This is a post with an image <img alt="</noscript>"> containing a noscript end tag',
|
||
|
)
|
||
|
get post.url
|
||
|
|
||
|
expect(noscript_content).to include('<img alt="</noscript>">')
|
||
|
end
|
||
|
|
||
|
it "escapes noscript with trailing whitespace" do
|
||
|
post =
|
||
|
Fabricate(
|
||
|
:post,
|
||
|
raw: 'This is a post with an image <img alt="</noscript >"> containing a noscript end tag',
|
||
|
)
|
||
|
get post.url
|
||
|
|
||
|
expect(noscript_content).to include('<img alt="</noscript >">')
|
||
|
end
|
||
|
|
||
|
it "escapes noscript with leading whitespace" do
|
||
|
# The spec doesn't accept closing tags with leading whitespace. Browsers follow that, but some other parsers are more relaxed so we escape anyway
|
||
|
post =
|
||
|
Fabricate(
|
||
|
:post,
|
||
|
raw: 'This is a post with an image <img alt="</ noscript>"> containing a noscript end tag',
|
||
|
)
|
||
|
get post.url
|
||
|
|
||
|
expect(noscript_content).to include('<img alt="</ noscript>">')
|
||
|
end
|
||
|
end
|