Add spec test for sanitized content in gl_field_error

Add fixture with title exploit

Add spec test for sanitized content in gl_field_error
bfded809 · sdejonge · 3fd3787f · bfded809 · bfded809
--- a/spec/frontend/fixtures/static/gl_field_errors.html
+++ b/spec/frontend/fixtures/static/gl_field_errors.html
@@ -20,6 +20,9 @@
 <div class="form-group">
 <textarea required title="Textarea is required">Textarea</textarea>
 </div>
+<div class="form-group">
+<input type="text" title="xss:&lt;script&gt;alert(0)&lt;/script&gt;"></input>
+</div>
 <div class="form-group"></div>
 <input class="submit" type="submit">Submit</input>
 </form>
--- a/spec/frontend/gl_field_errors_spec.js
+++ b/spec/frontend/gl_field_errors_spec.js
@@ -28,7 +28,7 @@ describe('GL Style Field Errors', () => {
    expect(testContext.fieldErrors).toBeDefined();
    const { inputs } = testContext.fieldErrors.state;

-    expect(inputs.length).toBe(5);
+    expect(inputs.length).toBe(6);
  });

  it('should ignore elements with custom error handling', () => {
@@ -125,4 +125,15 @@ describe('GL Style Field Errors', () => {
    expect(noTitleErrorElem.text()).toBe('This field is required.');
    expect(hasTitleErrorElem.text()).toBe('Please provide a valid email address.');
  });
+
+  it('sanitizes error messages before appending them to DOM', () => {
+    testContext.$form.submit();
+
+    const trackedInputs = testContext.fieldErrors.state.inputs;
+    const xssInput = trackedInputs[5];
+
+    const xssErrorElem = xssInput.inputElement.siblings('.gl-field-error');
+
+    expect(xssErrorElem.html()).toBe('xss:');
+  });
 });