From 341698ed40e023898d9f9d1f5c163d4d2cab4832 Mon Sep 17 00:00:00 2001 From: Santiago Pastorino Date: Wed, 16 Jul 2014 12:21:46 -0300 Subject: Don't accept parameters as argument for redirect to [via @homakov] Closes #16170 --- actionpack/test/controller/redirect_test.rb | 10 ++++++++++ 1 file changed, 10 insertions(+) (limited to 'actionpack/test/controller/redirect_test.rb') diff --git a/actionpack/test/controller/redirect_test.rb b/actionpack/test/controller/redirect_test.rb index 4331333b98..103ca9c776 100644 --- a/actionpack/test/controller/redirect_test.rb +++ b/actionpack/test/controller/redirect_test.rb @@ -90,6 +90,10 @@ class RedirectController < ActionController::Base redirect_to nil end + def redirect_to_params + redirect_to ActionController::Parameters.new(status: 200, protocol: 'javascript', f: '%0Aeval(name)') + end + def redirect_to_with_block redirect_to proc { "http://www.rubyonrails.org/" } end @@ -281,6 +285,12 @@ class RedirectTest < ActionController::TestCase end end + def test_redirect_to_params + assert_raise(ActionController::ActionControllerError) do + get :redirect_to_params + end + end + def test_redirect_to_with_block get :redirect_to_with_block assert_response :redirect -- cgit v1.2.3