14028: Add test exposing the bug

Arvados-DCO-1.1-Signed-off-by: Lucas Di Pentima <ldipentima@veritasgenetics.com>

diff --git a/apps/workbench/test/controllers/projects_controller_test.rb b/apps/workbench/test/controllers/projects_controller_test.rb
index ada0e33e70ab5f41221389f39cce1e9e2fdf32b3..c35d83ffc2bc1953ade99cc0772d7b5c92d93b27 100644 (file)
--- a/apps/workbench/test/controllers/projects_controller_test.rb
+++ b/apps/workbench/test/controllers/projects_controller_test.rb
@@ -341,6 +341,16 @@ class ProjectsControllerTest < ActionController::TestCase
     assert_includes @response.body, 'Textile description with link to home page <a href="/">take me home</a>.'
   end
 
+  test "find a project and edit description to unsafe html description" do
+    project = api_fixture('groups')['aproject']
+    use_token :active
+    found = Group.find(project['uuid'])
+    found.description = 'Textile description with unsafe script tag <script language="javascript">alert("Hello there")</script>.'
+    found.save!
+    get(:show, {id: project['uuid']}, session_for(:active))
+    assert_includes @response.body, 'Textile description with unsafe script tag alert("Hello there").'
+  end
+
   test "find a project and edit description to textile description with link to object" do
     project = api_fixture('groups')['aproject']
     use_token :active