Discource-C
/
discourse
mirror of https://github.com/discourse/discourse.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

DEV: Fix preview sanitization test (#21521) 

This test was passing, but the environment it was testing was incorrect.
The `image-controls` markdown rule allowlists several svgs when previewing.
But since `previewing: true` is only set on the parent `ComposerEditor`
component, the test in `DEditor` wasn't aware of that, so the output was
ignoring the `previewing` option.

This moves the test one level higher, to `ComposerEditor`, and because
now `previewing: true` is correctly used, it updates the test to show
that the svg element is present, but an `onload` attributes is stripped.
This commit is contained in:
Penar Musaraj 2023-05-16 11:06:05 -04:00 committed by GitHub
parent 230a71b264
commit f6670aecfd
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 19 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
app/assets/javascripts/discourse/tests/integration/components/composer-editor-test.js
View File

@ -3,6 +3,7 @@ import { setupRenderingTest } from "discourse/tests/helpers/component-test";
import { fillIn, render } from "@ember/test-helpers";
import { hbs } from "ember-cli-htmlbars";
import pretender, { response } from "discourse/tests/helpers/create-pretender";
import { query } from "discourse/tests/helpers/qunit-helpers";
module("Integration | Component | ComposerEditor", function (hooks) {
setupRenderingTest(hooks);
@ -43,4 +44,22 @@ module("Integration | Component | ComposerEditor", function (hooks) {
await fillIn("textarea", "@user-no @user-ok @user-nope");
});
test("preview sanitizes HTML", async function (assert) {
this.set("model", {});
this.set("noop", () => {});
await render(hbs`
<ComposerEditor
@composer={{this.model}}
@afterRefresh={{this.noop}}
/>
`);
await fillIn(".d-editor-input", `"><svg onload="prompt(/xss/)"></svg>`);
assert.strictEqual(
query(".d-editor-preview").innerHTML.trim(),
'<p>"&gt;<svg></svg></p>'
);
});
});

10
app/assets/javascripts/discourse/tests/integration/components/d-editor-test.js
View File

@ -45,16 +45,6 @@ module("Integration | Component | d-editor", function (hooks) {
);
});
test("preview sanitizes HTML", async function (assert) {
await render(hbs`<DEditor @value={{this.value}} />`);
await fillIn(".d-editor-input", `"><svg onload="prompt(/xss/)"></svg>`);
assert.strictEqual(
query(".d-editor-preview").innerHTML.trim(),
'<p>"&gt;</p>'
);
});
test("updating the value refreshes the preview", async function (assert) {
this.set("value", "evil trout");