Refactor appeal partial to avoid brakeman XSS warning (#25880)

2023-10-19 11:25:54 -04:00 · 2023-10-19 11:25:54 -04:00 · 9f218c9924
commit 9f218c9924
parent bcd0171e5e
5 changed files with 47 additions and 36 deletions
--- a/spec/controllers/admin/disputes/appeals_controller_spec.rb
+++ b/spec/controllers/admin/disputes/appeals_controller_spec.rb
@ -18,10 +18,14 @@ RSpec.describe Admin::Disputes::AppealsController do
  describe 'GET #index' do
    let(:current_user) { Fabricate(:user, role: UserRole.find_by(name: 'Admin')) }

-    it 'lists appeals' do
+    before { appeal }
+
+    it 'returns a page that lists details of appeals' do
      get :index

-      expect(response).to have_http_status(200)
+      expect(response).to have_http_status(:success)
+      expect(response.body).to include("<span class=\"username\">#{strike.account.username}</span>")
+      expect(response.body).to include("<span class=\"target\">#{appeal.account.username}</span>")
    end
  end

--- a/spec/helpers/admin/disputes_helper_spec.rb
+++ b/spec/helpers/admin/disputes_helper_spec.rb
@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe Admin::DisputesHelper do
+  describe 'strike_action_label' do
+    it 'returns html describing the appeal' do
+      adam = Account.new(username: 'Adam')
+      becky = Account.new(username: 'Becky')
+      strike = AccountWarning.new(account: adam, action: :suspend)
+      appeal = Appeal.new(strike: strike, account: becky)
+
+      expected = <<~OUTPUT.strip
+        <span class="username">Adam</span> suspended <span class="target">Becky</span>'s account
+      OUTPUT
+      result = helper.strike_action_label(appeal)
+
+      expect(result).to eq(expected)
+    end
+  end
+end