From 60368ee8db226edf45dc53dfea928fe52607bbf7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Fran=20Bol=C3=ADvar?= Date: Mon, 21 Aug 2023 19:24:12 +0200 Subject: [PATCH] Encode non-ASCII characters on external links (#11472) (#11499) * Encode non-ASCII characters on external links * Lint * Apply suggestions --- .../app/controllers/decidim/links_controller.rb | 2 +- .../spec/system/external_domain_warning_spec.rb | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/decidim-core/app/controllers/decidim/links_controller.rb b/decidim-core/app/controllers/decidim/links_controller.rb index 642e5c626464b..05d686838f399 100644 --- a/decidim-core/app/controllers/decidim/links_controller.rb +++ b/decidim-core/app/controllers/decidim/links_controller.rb @@ -35,7 +35,7 @@ def parse_url end def external_url - @external_url ||= URI.parse(params[:external_url]) + @external_url ||= URI.parse(URI::Parser.new.escape(params[:external_url])) end end end diff --git a/decidim-core/spec/system/external_domain_warning_spec.rb b/decidim-core/spec/system/external_domain_warning_spec.rb index 018d4469e340b..25e38fc877cdf 100644 --- a/decidim-core/spec/system/external_domain_warning_spec.rb +++ b/decidim-core/spec/system/external_domain_warning_spec.rb @@ -28,6 +28,17 @@ expect(page).to have_link("Another link", href: "http://www.example.org") end + context "when url has special characters" do + let(:destination) { "https://example.org/test?foo=bàr" } + let(:url) { "http://#{organization.host}/link?external_url=#{destination}" } + + it "does not show invalid url alert" do + visit url + expect(page).not_to have_content("Invalid URL") + expect(page).to have_content("b%C3%A0r") + end + end + context "when url is invalid" do let(:invalid_url) { "http://#{organization.host}/link?external_url=foo" }