mirror of
https://github.com/discourse/discourse.git
synced 2024-11-27 22:36:18 +08:00
d92fd30d23
Original solution to use `description` instead of `text_description` was wrong: https://github.com/discourse/discourse/pull/20436 Problem is that we have to escape HTML tags. However, we would like to use escape method which is keep `/` intact. Expected behavior is given by ERB::Util.html_escape instead of Rack::Utils.escape_html /t/92015
24 lines
712 B
Ruby
24 lines
712 B
Ruby
# frozen_string_literal: true
|
|
|
|
require "category_badge"
|
|
|
|
RSpec.describe CategoryBadge do
|
|
it "escapes HTML in category names / descriptions" do
|
|
c = Fabricate(:category, name: "<b>name</b>", description: "<b>title</b>")
|
|
|
|
html = CategoryBadge.html_for(c)
|
|
|
|
expect(html).not_to include("<b>title</b>")
|
|
expect(html).not_to include("<b>name</b>")
|
|
expect(html).to include(ERB::Util.html_escape("<b>name</b>"))
|
|
expect(html).to include("title='title'")
|
|
end
|
|
|
|
it "escapes code block contents" do
|
|
c = Fabricate(:category, description: '<code>\' <b id="x"></code>')
|
|
html = CategoryBadge.html_for(c)
|
|
|
|
expect(html).to include("title='' <b id="x">'")
|
|
end
|
|
end
|