Keep current host in links to current path

This way we avoid a possible unprotected redirect.
2019-11-10 16:56:56 +01:00
parent 9065683216
commit 31c21ddd42
2 changed files with 10 additions and 1 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@@ -3,7 +3,7 @@ module ApplicationHelper
  # notice: if query_params have a param which also exist in current path,
  # it "overrides" (query_params is merged last)
  def current_path_with_query_params(query_parameters)
-    url_for(request.query_parameters.merge(query_parameters))
+    url_for(request.query_parameters.merge(query_parameters).merge(only_path: true))
  end

  def markdown(text)
--- a/spec/features/localization_spec.rb
+++ b/spec/features/localization_spec.rb
@@ -40,6 +40,15 @@ describe "Localization" do
    expect(page).to have_select("locale-switcher", selected: "Español")
  end

+  scenario "Keeps query parameters while using protected redirects", :js do
+    visit "/debates?order=created_at&host=evil.dev"
+
+    select("Español", from: "locale-switcher")
+
+    expect(current_host).to eq "http://127.0.0.1"
+    expect(page).to have_current_path "/debates?locale=es&order=created_at"
+  end
+
  context "Only one locale" do
    before do
      allow(I18n).to receive(:available_locales).and_return([:en])