From 4752e7d83794ecf23c6d0367f0bcad8eee33da59 Mon Sep 17 00:00:00 2001
From: Jean Boussier <jean.boussier@gmail.com>
Date: Tue, 7 Jul 2015 13:47:16 -0400
Subject: Prevent ActionController::Parameters from being passed to url_for
 directly

---
 actionpack/test/controller/url_for_test.rb | 7 +++++++
 1 file changed, 7 insertions(+)

(limited to 'actionpack/test/controller/url_for_test.rb')

diff --git a/actionpack/test/controller/url_for_test.rb b/actionpack/test/controller/url_for_test.rb
index 78e883f134..67212fea38 100644
--- a/actionpack/test/controller/url_for_test.rb
+++ b/actionpack/test/controller/url_for_test.rb
@@ -375,6 +375,13 @@ module AbstractController
         assert_equal({'query[person][position][]' => 'prof'        }.to_query, params[3])
       end
 
+      def test_url_action_controller_parameters
+        add_host!
+        assert_raise(ArgumentError) do
+          W.new.url_for(ActionController::Parameters.new(:controller => 'c', :action => 'a', protocol: 'javascript', f: '%0Aeval(name)'))
+        end
+      end
+
       def test_path_generation_for_symbol_parameter_keys
         assert_generates("/image", :controller=> :image)
       end
-- 
cgit v1.2.3