Validate allowed schemes on preview card URLs (#27485)

2023-10-23 03:50:02 -04:00 · 2023-10-23 03:50:02 -04:00 · b0213472df
commit b0213472df
parent 9d45a444f9
2 changed files with 29 additions and 1 deletions
--- a/spec/models/preview_card_spec.rb
+++ b/spec/models/preview_card_spec.rb
@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'rails_helper'
+
+describe PreviewCard do
+  describe 'validations' do
+    describe 'urls' do
+      it 'allows http schemes' do
+        record = described_class.new(url: 'http://example.host/path')
+
+        expect(record).to be_valid
+      end
+
+      it 'allows https schemes' do
+        record = described_class.new(url: 'https://example.host/path')
+
+        expect(record).to be_valid
+      end
+
+      it 'does not allow javascript: schemes' do
+        record = described_class.new(url: 'javascript:alert()')
+
+        expect(record).to_not be_valid
+        expect(record).to model_have_error_on_field(:url)
+      end
+    end
+  end
+end