spec/flipper/ui/actions/feature_spec.rb in flipper-ui-1.1.2 vs spec/flipper/ui/actions/feature_spec.rb in flipper-ui-1.2.0

@@ -22,11 +22,11 @@
       expect(flipper.features.map(&:key)).not_to include('search')
     end
 
     it 'redirects to features' do
       expect(last_response.status).to be(302)
-      expect(last_response.headers['Location']).to eq('/features')
+      expect(last_response.headers['location']).to eq('/features')
     end
 
     context "with space in feature name" do
       before do
         flipper.enable "sp ace"
@@ -39,11 +39,11 @@
         expect(flipper.features.map(&:key)).not_to include('sp ace')
       end
 
       it 'redirects to features' do
         expect(last_response.status).to be(302)
-        expect(last_response.headers['Location']).to eq('/features')
+        expect(last_response.headers['location']).to eq('/features')
       end
     end
 
     context 'when feature_removal_enabled is set to false' do
       around do |example|
@@ -78,11 +78,11 @@
       expect(flipper.features.map(&:key)).not_to include('search')
     end
 
     it 'redirects to features' do
       expect(last_response.status).to be(302)
-      expect(last_response.headers['Location']).to eq('/features')
+      expect(last_response.headers['location']).to eq('/features')
     end
   end
 
   describe 'GET /features/:feature' do
     before do
@@ -136,16 +136,37 @@
               "some_actor_name" => "Some Actor Name",
               "some_other_actor_name" => "Some Other Actor Name",
             }
           }
         end
-
-        get '/features/search'
       end
 
       it 'renders template with custom actor names' do
+        get '/features/search'
         expect(last_response.body).to include('Some Actor Name (some_actor_name)')
         expect(last_response.body).not_to include('Some Other Actor Name')
+      end
+
+      it 'allows basic html' do
+        Flipper::UI.configure do |config|
+          config.actor_names_source = lambda { |_keys|
+            { "some_actor_name" => '<a href="/users/some_actor_name">Some Actor Name</a>', }
+          }
+        end
+
+        get '/features/search'
+        expect(last_response.body).to include('<a href="/users/some_actor_name" rel="nofollow">Some Actor Name</a>')
+      end
+
+      it 'sanitizes dangerous markup' do
+        Flipper::UI.configure do |config|
+          config.actor_names_source = lambda { |_keys|
+            { "some_actor_name" => '<a href="javascript:alert(\'hello\')">Some Actor Name</a>', }
+          }
+        end
+
+        get '/features/search'
+        expect(last_response.body).not_to include('javascript:alert')
       end
     end
   end
 
   describe 'GET /features/:feature with _features in feature name' do