mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 13:33:44 +08:00
d407bcab36
* FIX: Correctly escape category description text This bug has been introduced indb14e10943
. * Remove unnecessary `html_safe` `Theme.lookup_field` already returns html-safe strings:7ad338e3e6/app/models/theme.rb (L237-L242)
* Rename `description` where it's acutally `descriptionText`
25 lines
730 B
Ruby
25 lines
730 B
Ruby
# frozen_string_literal: true
|
|
|
|
require 'rails_helper'
|
|
require 'category_badge'
|
|
|
|
describe CategoryBadge do
|
|
it "escapes HTML in category names / descriptions" do
|
|
c = Fabricate(:category, name: '<b>name</b>', description: '<b>title</b>')
|
|
|
|
html = CategoryBadge.html_for(c)
|
|
|
|
expect(html).not_to include("<b>title</b>")
|
|
expect(html).not_to include("<b>name</b>")
|
|
expect(html).to include(ERB::Util.html_escape("<b>name</b>"))
|
|
expect(html).to include("title='title'")
|
|
end
|
|
|
|
it "escapes code block contents" do
|
|
c = Fabricate(:category, description: '<code>\' <b id="x"></code>')
|
|
html = CategoryBadge.html_for(c)
|
|
|
|
expect(html).to include("title='' <b id="x">'")
|
|
end
|
|
end
|