github-mirror/discourse
2
0
Fork 0
mirror of https://github.com/discourse/discourse.git synced 2024-11-23 20:20:43 +08:00
Code Issues Actions 1 Packages Projects Releases Wiki Activity
0cec84206e
discourse/spec/models/user_field_spec.rb

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

32 lines
995 B
Ruby
Raw Normal View History

DEV: use #frozen_string_literal: true on all spec This change both speeds up specs (less strings to allocate) and helps catch cases where methods in Discourse are mutating inputs. Overall we will be migrating everything to use #frozen_string_literal: true it will take a while, but this is the first and safest move in this direction
2019-04-30 08:27:42 +08:00
# frozen_string_literal: true
Add RSpec 4 compatibility (#17652) * Remove outdated option https://github.com/rspec/rspec-core/commit/04078317ba6577699d06cf4dccf014254dcde7a6 * Use the non-globally exposed RSpec syntax https://github.com/rspec/rspec-core/pull/2803 * Use the non-globally exposed RSpec syntax, cont https://github.com/rspec/rspec-core/pull/2803 * Comply to strict predicate matchers See: - https://github.com/rspec/rspec-expectations/pull/1195 - https://github.com/rspec/rspec-expectations/pull/1196 - https://github.com/rspec/rspec-expectations/pull/1277
2022-07-28 10:27:38 +08:00
RSpec.describe UserField do
UX: make name optional for confirmation user field (#7149)
2019-03-14 01:40:43 +08:00
describe "doesn't validate presence of name if field type is 'confirm'" do
subject { described_class.new(field_type: "confirm") }
it { is_expected.not_to validate_presence_of :name }
end
describe "validates presence of name for other field types" do
subject { described_class.new(field_type: "dropdown") }
it { is_expected.to validate_presence_of :name }
end
DEV: Sanitize HTML admin inputs (#14681) * DEV: Sanitize HTML admin inputs This PR adds on-save HTML sanitization for: Client site settings translation overrides badges descriptions user fields descriptions I used Rails's SafeListSanitizer, which [accepts the following HTML tags and attributes](https://github.com/rails/rails-html-sanitizer/blob/018cf540737ae10ee1c673ce184408881852c479/lib/rails/html/sanitizer.rb#L108) * Make sure that the sanitization logic doesn't corrupt settings with special characters
2021-10-27 22:33:07 +08:00
it "sanitizes the description" do
xss = "<b onmouseover=alert('Wufff!')>click me!</b><script>alert('TEST');</script>"
user_field = Fabricate(:user_field)
user_field.update!(description: xss)
expect(user_field.description).to eq("<b>click me!</b>alert('TEST');")
end
FEATURE: Allow `target` attribute in links in user_field descriptions (#19102) This change adds `target` to the set of attributes allowed by the HTML sanitizer which is applied to the description of a user_field. The rationale for this change: * If one puts a link (<a>...</a>) in the description of a user_field that is present and/or required at sign-up, the expectation is that a prospective new user will click on that link during sign-up. * Without an appropriate `target` attribute on the link, the new page will be loaded in the same window/tab as the sign-up form, but this will obliterate any fields that the user had already filled-out on the form. (E.g., hitting the back-button will return to an empty form.) * Such UX behavior is incredibly aggravating to new users. This change allows an admin to add a `target` attribute to links, to instruct the browser to open them in a different window/tab, leaving a sign-up form intact.
2023-01-06 21:18:35 +08:00
it "allows target attribute in the description" do
link = "<a target=\"_blank\" href=\"/elsewhere\">elsewhere</a>"
user_field = Fabricate(:user_field)
user_field.update!(description: link)
expect(user_field.description).to eq(link)
end
UX: make name optional for confirmation user field (#7149)
2019-03-14 01:40:43 +08:00
end
Reference in New Issue Copy Permalink