diff options
| author | Rafael França <rafaelmfranca@gmail.com> | 2015-11-04 16:12:54 -0200 |
|---|---|---|
| committer | Rafael França <rafaelmfranca@gmail.com> | 2015-11-04 16:12:54 -0200 |
| commit | e8b2c0535c203119e6733a982dc22734f3da1219 (patch) | |
| tree | b267f45708bcb26f186812d57715f9c73134428c /actionview/test | |
| parent | 1e2f6bccc8bd2d5c8b40115c46bb4846cd673ed7 (diff) | |
| parent | ab5fb4f22430afa58c334f7e7e142660164490e5 (diff) | |
| download | rails-e8b2c0535c203119e6733a982dc22734f3da1219.tar.gz rails-e8b2c0535c203119e6733a982dc22734f3da1219.tar.bz2 rails-e8b2c0535c203119e6733a982dc22734f3da1219.zip | |
Merge pull request #22180 from usertesting/arbitrary-url-in-link-to-back
Don’t allow arbitrary data in back urls
Diffstat (limited to 'actionview/test')
| -rw-r--r-- | actionview/test/template/url_helper_test.rb | 17 |
1 files changed, 17 insertions, 0 deletions
diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb index 43a65a58cb..48d0a9a47a 100644 --- a/actionview/test/template/url_helper_test.rb +++ b/actionview/test/template/url_helper_test.rb @@ -50,6 +50,23 @@ class UrlHelperTest < ActiveSupport::TestCase assert_equal 'javascript:history.back()', url_for(:back) end + def test_url_for_with_back_and_no_controller + @controller = nil + assert_equal 'javascript:history.back()', url_for(:back) + end + + def test_url_for_with_back_and_javascript_referer + referer = 'javascript:alert(document.cookie)' + @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer)) + assert_equal 'javascript:history.back()', url_for(:back) + end + + def test_url_for_with_invalid_referer + referer = 'THIS IS NOT A URL' + @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer)) + assert_equal 'javascript:history.back()', url_for(:back) + end + def test_button_to_with_straight_url assert_dom_equal %{<form method="post" action="http://www.example.com" class="button_to"><input type="submit" value="Hello" /></form>}, button_to("Hello", "http://www.example.com") end |