5d85dc2d91
- Don't double escape the 'Delete branch "$BRANCH"' text. `Locale.Tr`
escapes the argument already and Vue does too by default.
- Let Vue escape the text and add a unit test ensuring that it escapes.
- Resolves #5582
(cherry picked from commit 8c8b31f304
)
34 lines
1.3 KiB
JavaScript
34 lines
1.3 KiB
JavaScript
// Copyright 2024 The Forgejo Authors. All rights reserved.
|
|
// SPDX-License-Identifier: MIT
|
|
import {flushPromises, mount} from '@vue/test-utils';
|
|
import PullRequestMergeForm from './PullRequestMergeForm.vue';
|
|
|
|
async function renderMergeForm(branchName) {
|
|
window.config.pageData.pullRequestMergeForm = {
|
|
textDeleteBranch: `Delete branch "${branchName}"`,
|
|
textDoMerge: 'Merge',
|
|
defaultMergeStyle: 'merge',
|
|
isPullBranchDeletable: true,
|
|
canMergeNow: true,
|
|
mergeStyles: [{
|
|
'name': 'merge',
|
|
'allowed': true,
|
|
'textDoMerge': 'Merge',
|
|
'mergeTitleFieldText': 'Merge PR',
|
|
'mergeMessageFieldText': 'Description',
|
|
'hideAutoMerge': 'Hide this message',
|
|
}],
|
|
};
|
|
const mergeform = mount(PullRequestMergeForm);
|
|
mergeform.get('.merge-button').trigger('click');
|
|
await flushPromises();
|
|
return mergeform;
|
|
}
|
|
|
|
test('renders escaped branch name', async () => {
|
|
let mergeform = await renderMergeForm('<b>evil</b>');
|
|
expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<b>evil</b>"');
|
|
|
|
mergeform = await renderMergeForm('<script class="evil">alert("evil message");</script>');
|
|
expect(mergeform.get('label[for="delete-branch-after-merge"]').text()).toBe('Delete branch "<script class="evil">alert("evil message");</script>"');
|
|
});
|