From c9fcce06faf44d0aff5a50577fbb02c2840e361e Mon Sep 17 00:00:00 2001 From: Antti Hukkanen Date: Fri, 11 Oct 2024 17:27:04 +0300 Subject: [PATCH] Fix double encoding specific characters with the external links (#13517) --- .../app/controllers/decidim/links_controller.rb | 2 +- .../spec/system/external_domain_warning_spec.rb | 11 +++++++++++ 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/decidim-core/app/controllers/decidim/links_controller.rb b/decidim-core/app/controllers/decidim/links_controller.rb index 79dac5f528094..11ec7f8bf4c21 100644 --- a/decidim-core/app/controllers/decidim/links_controller.rb +++ b/decidim-core/app/controllers/decidim/links_controller.rb @@ -41,7 +41,7 @@ def external_url end def escape_url(external_url) - before_fragment, fragment = external_url.split("#", 2) + before_fragment, fragment = URI.decode_www_form_component(external_url).split("#", 2) escaped_before_fragment = URI::Parser.new.escape(before_fragment) if fragment diff --git a/decidim-core/spec/system/external_domain_warning_spec.rb b/decidim-core/spec/system/external_domain_warning_spec.rb index 02dfc33da23eb..2756d8f933798 100644 --- a/decidim-core/spec/system/external_domain_warning_spec.rb +++ b/decidim-core/spec/system/external_domain_warning_spec.rb @@ -51,6 +51,17 @@ end end + context "when the source url has encoded characters" do + let(:destination) { "https://example.org/Me%2Cmyself%2Cand%2CI" } + let(:url) { "http://#{organization.host}/link?external_url=#{destination}" } + + it "does not show invalid url alert" do + visit url + expect(page).to have_no_content("Invalid URL") + expect(page).to have_content("Me,myself,and,I") + end + end + context "when url is invalid" do let(:invalid_url) { "http://#{organization.host}/link?external_url=foo" }