Unfloyded/Legamunt
0
0
Fork 0
Code Activity

Configure brakeman to ignore url safe preview card urls (#25883)

Browse source
This commit is contained in:
Matt Jankowski 2023-10-20 09:32:16 -04:00 committed by GitHub
parent 13688539bc
commit ab0fb81479
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
5 changed files with 27 additions and 40 deletions
Download patch file Download diff file Expand all files Collapse all files

20
spec/views/admin/trends/links/_preview_card.html.haml_spec.rb Normal file
View file

@ -0,0 +1,20 @@
# frozen_string_literal: true
require 'rails_helper'
describe 'admin/trends/links/_preview_card.html.haml' do
it 'correctly escapes user supplied url values' do
form = instance_double(ActionView::Helpers::FormHelper, check_box: nil)
trend = PreviewCardTrend.new(allowed: false)
preview_card = Fabricate.build(
:preview_card,
url: 'https://host.example/path?query=<script>',
trend: trend,
title: 'Fun'
)
render partial: 'admin/trends/links/preview_card', locals: { preview_card: preview_card, f: form }
expect(rendered).to include('<a href="https://host.example/path?query=&lt;script&gt;">Fun</a>')
end
end