From 31c21ddd42018ab223ed482ec73a592c3587fae0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Javi=20Mart=C3=ADn?= Date: Sun, 10 Nov 2019 16:56:56 +0100 Subject: [PATCH] Keep current host in links to current path This way we avoid a possible unprotected redirect. --- app/helpers/application_helper.rb | 2 +- spec/features/localization_spec.rb | 9 +++++++++ 2 files changed, 10 insertions(+), 1 deletion(-) diff --git a/app/helpers/application_helper.rb b/app/helpers/application_helper.rb index 255534a88..44b5410cc 100644 --- a/app/helpers/application_helper.rb +++ b/app/helpers/application_helper.rb @@ -3,7 +3,7 @@ module ApplicationHelper # notice: if query_params have a param which also exist in current path, # it "overrides" (query_params is merged last) def current_path_with_query_params(query_parameters) - url_for(request.query_parameters.merge(query_parameters)) + url_for(request.query_parameters.merge(query_parameters).merge(only_path: true)) end def markdown(text) diff --git a/spec/features/localization_spec.rb b/spec/features/localization_spec.rb index 47cf53528..4056cb8dd 100644 --- a/spec/features/localization_spec.rb +++ b/spec/features/localization_spec.rb @@ -40,6 +40,15 @@ describe "Localization" do expect(page).to have_select("locale-switcher", selected: "Español") end + scenario "Keeps query parameters while using protected redirects", :js do + visit "/debates?order=created_at&host=evil.dev" + + select("Español", from: "locale-switcher") + + expect(current_host).to eq "http://127.0.0.1" + expect(page).to have_current_path "/debates?locale=es&order=created_at" + end + context "Only one locale" do before do allow(I18n).to receive(:available_locales).and_return([:en])