aboutsummaryrefslogtreecommitdiffstats
path: root/actionview
diff options
context:
space:
mode:
Diffstat (limited to 'actionview')
-rw-r--r--actionview/CHANGELOG.md4
-rw-r--r--actionview/lib/action_view/dependency_tracker.rb2
-rw-r--r--actionview/lib/action_view/digestor.rb2
-rw-r--r--actionview/lib/action_view/helpers/url_helper.rb14
-rw-r--r--actionview/lib/action_view/lookup_context.rb2
-rw-r--r--actionview/lib/action_view/renderer/partial_renderer.rb2
-rw-r--r--actionview/test/template/url_helper_test.rb17
7 files changed, 37 insertions, 6 deletions
diff --git a/actionview/CHANGELOG.md b/actionview/CHANGELOG.md
index 65314184c8..e5f5961326 100644
--- a/actionview/CHANGELOG.md
+++ b/actionview/CHANGELOG.md
@@ -1,3 +1,7 @@
+* Restrict `url_for :back` to valid, non-JavaScript URLs. GH#14444
+
+ *Damien Burke*
+
* Allow `date_select` helper selected option to accept hash like the default options.
*Lecky Lao*
diff --git a/actionview/lib/action_view/dependency_tracker.rb b/actionview/lib/action_view/dependency_tracker.rb
index 7716955fd9..5a4c3ea3fe 100644
--- a/actionview/lib/action_view/dependency_tracker.rb
+++ b/actionview/lib/action_view/dependency_tracker.rb
@@ -1,4 +1,4 @@
-require 'concurrent'
+require 'concurrent/map'
require 'action_view/path_set'
module ActionView
diff --git a/actionview/lib/action_view/digestor.rb b/actionview/lib/action_view/digestor.rb
index 12e9723a02..6f2f9ca53c 100644
--- a/actionview/lib/action_view/digestor.rb
+++ b/actionview/lib/action_view/digestor.rb
@@ -1,4 +1,4 @@
-require 'concurrent'
+require 'concurrent/map'
require 'action_view/dependency_tracker'
require 'monitor'
diff --git a/actionview/lib/action_view/helpers/url_helper.rb b/actionview/lib/action_view/helpers/url_helper.rb
index 5684de35e8..baebc34b4b 100644
--- a/actionview/lib/action_view/helpers/url_helper.rb
+++ b/actionview/lib/action_view/helpers/url_helper.rb
@@ -41,11 +41,21 @@ module ActionView
end
def _back_url # :nodoc:
- referrer = controller.respond_to?(:request) && controller.request.env["HTTP_REFERER"]
- referrer || 'javascript:history.back()'
+ _filtered_referrer || 'javascript:history.back()'
end
protected :_back_url
+ def _filtered_referrer # :nodoc:
+ if controller.respond_to?(:request)
+ referrer = controller.request.env["HTTP_REFERER"]
+ if referrer && URI(referrer).scheme != 'javascript'
+ referrer
+ end
+ end
+ rescue URI::InvalidURIError
+ end
+ protected :_filtered_referrer
+
# Creates an anchor element of the given +name+ using a URL created by the set of +options+.
# See the valid options in the documentation for +url_for+. It's also possible to
# pass a String instead of an options hash, which generates an anchor element that uses the
diff --git a/actionview/lib/action_view/lookup_context.rb b/actionview/lib/action_view/lookup_context.rb
index ec6edfaaa3..d3935788ef 100644
--- a/actionview/lib/action_view/lookup_context.rb
+++ b/actionview/lib/action_view/lookup_context.rb
@@ -1,4 +1,4 @@
-require 'concurrent'
+require 'concurrent/map'
require 'active_support/core_ext/module/remove_method'
require 'active_support/core_ext/module/attribute_accessors'
require 'action_view/template/resolver'
diff --git a/actionview/lib/action_view/renderer/partial_renderer.rb b/actionview/lib/action_view/renderer/partial_renderer.rb
index 39c8658ffe..a78bf0a6e9 100644
--- a/actionview/lib/action_view/renderer/partial_renderer.rb
+++ b/actionview/lib/action_view/renderer/partial_renderer.rb
@@ -1,5 +1,5 @@
require 'action_view/renderer/partial_renderer/collection_caching'
-require 'concurrent'
+require 'concurrent/map'
module ActionView
class PartialIteration
diff --git a/actionview/test/template/url_helper_test.rb b/actionview/test/template/url_helper_test.rb
index 43a65a58cb..48d0a9a47a 100644
--- a/actionview/test/template/url_helper_test.rb
+++ b/actionview/test/template/url_helper_test.rb
@@ -50,6 +50,23 @@ class UrlHelperTest < ActiveSupport::TestCase
assert_equal 'javascript:history.back()', url_for(:back)
end
+ def test_url_for_with_back_and_no_controller
+ @controller = nil
+ assert_equal 'javascript:history.back()', url_for(:back)
+ end
+
+ def test_url_for_with_back_and_javascript_referer
+ referer = 'javascript:alert(document.cookie)'
+ @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer))
+ assert_equal 'javascript:history.back()', url_for(:back)
+ end
+
+ def test_url_for_with_invalid_referer
+ referer = 'THIS IS NOT A URL'
+ @controller = Struct.new(:request).new(Struct.new(:env).new("HTTP_REFERER" => referer))
+ assert_equal 'javascript:history.back()', url_for(:back)
+ end
+
def test_button_to_with_straight_url
assert_dom_equal %{<form method="post" action="http://www.example.com" class="button_to"><input type="submit" value="Hello" /></form>}, button_to("Hello", "http://www.example.com")
end
generated by cgit v1.2.3 (git 2.25.1) at 2025-10-28 18:23:13 +0000