Don’t escape entities in report titles via ajax.

author: Matthew Somerville <matthew-github@dracos.co.uk> 2018-12-11 11:54:51 +0000
committer: Matthew Somerville <matthew-github@dracos.co.uk> 2018-12-12 16:46:37 +0000
commit: c049907103c47e279706a319a0d8917ee6c968ab (patch)
tree: 2766ce490cff12bdff48d6561c54db6c5b604750 /.cypress
parent: 83744b62b5c55a04a1d513cec2916976f2dafb58 (diff)
1 files changed, 17 insertions, 0 deletions
diff --git a/.cypress/cypress/integration/regressions.js b/.cypress/cypress/integration/regressions.js
index 00e92f5ad..547fc469b 100644
--- a/.cypress/cypress/integration/regressions.js
+++ b/.cypress/cypress/integration/regressions.js
@@ -25,4 +25,21 @@ describe('Regression tests', function() {
         cy.get('#loading-indicator').should('be.hidden');
         cy.get('#map_box image').should('be.visible');
     });
+    it('Does not escape HTML entities in the title', function() {
+        cy.server();
+        cy.route('/around\?ajax*').as('update-results');
+        cy.request({
+          method: 'POST',
+          url: '/auth?r=/',
+          form: true,
+          body: { username: 'cs@example.org', password_sign_in: 'password' }
+        });
+        cy.visit('/report/1/moderate');
+        cy.get('[name=problem_title]').clear().type('M&S "brill" says <glob>').parents('form').submit();
+        cy.title().should('contain', 'M&S "brill" says <glob>');
+        cy.contains('Problems nearby').click();
+        cy.wait('@update-results');
+        cy.get('#map_sidebar').contains('M&S').click();
+        cy.title().should('contain', 'M&S "brill" says <glob>');
+    });
 });
author	Matthew Somerville <matthew-github@dracos.co.uk>	2018-12-11 11:54:51 +0000
committer	Matthew Somerville <matthew-github@dracos.co.uk>	2018-12-12 16:46:37 +0000
commit	c049907103c47e279706a319a0d8917ee6c968ab (patch)
tree	2766ce490cff12bdff48d6561c54db6c5b604750 /.cypress
parent	83744b62b5c55a04a1d513cec2916976f2dafb58 (diff)