fix(3262): Allow anchor tags within the nav banner (#1319)

Co-authored-by: mhirabar <[email protected]>

app/components/nav-banner/template.hbs

@@ -11,7 +11,7 @@
         />
         <div class="banner-message">
           <span>
-            {{banner.message}}
+            {{{input-sanitizer banner.message}}}
           </span>
         </div>
       </div>

tests/integration/components/nav-banner/component-test.js

@@ -27,4 +27,47 @@ module('Integration | Component | nav banner', function (hooks) {
 
     assert.dom('.banner').hasText('× shutdown imminent');
   });
+
+  test('it renders banner with image tag', async function (assert) {
+    const bannerStub = Service.extend({
+      fetchBanners: () =>
+        resolve([
+          EmberObject.create({
+            id: 2,
+            isActive: true,
+            message: `Image tag: <img src="#notanimage" onerror="alert('unsafe script injection from warning!')" />`
+          })
+        ])
+    });
+
+    this.owner.register('service:banner', bannerStub);
+
+    await render(hbs`<NavBanner />`);
+
+    assert.dom('.banner-message').hasText('Image tag:');
+  });
+
+  test('it renders with link', async function (assert) {
+    const bannerStub = Service.extend({
+      fetchBanners: () =>
+        resolve([
+          EmberObject.create({
+            id: 3,
+            isActive: true,
+            message: `test - <a href="https://docs.screwdriver.cd/" onclick="alert('xss test');">screwdriver docs</a>`
+          })
+        ])
+    });
+
+    this.owner.register('service:banner', bannerStub);
+
+    await render(hbs`<NavBanner />`);
+
+    assert.dom('.banner-message').hasText('test - screwdriver docs');
+    assert
+      .dom('.banner-message > span > a')
+      .hasAttribute('href', 'https://docs.screwdriver.cd/');
+    assert.dom('.banner-message > span > a').hasNoAttribute('rel');
+    assert.dom('.banner-message > span > a').hasNoAttribute('onclick');
+  });
 });