Merge pull request #1303 from betagouv/fix-1302

[Fix #1302] sanitize_url can deal with nil values
2018-01-18 17:39:12 +01:00 · 2018-01-18 17:39:12 +01:00 · bb090179b8
commit bb090179b8
parent 859de6168b d945001e0a
2 changed files with 23 additions and 1 deletions
--- a/app/helpers/application_helper.rb
+++ b/app/helpers/application_helper.rb
@ -2,7 +2,9 @@ module ApplicationHelper
  include SanitizeUrl

  def sanitize_url(url)
-    super(url, schemes: ['http', 'https'], replace_evil_with: root_url)
+    if !url.nil?
+      super(url, schemes: ['http', 'https'], replace_evil_with: root_url)
+    end
  end

  def flash_class(level)
--- a/spec/helpers/application_helper_spec.rb
+++ b/spec/helpers/application_helper_spec.rb
@ -0,0 +1,20 @@
+describe ApplicationHelper do
+  describe "#sanitize_url" do
+    subject { sanitize_url(url) }
+
+    describe 'does nothing on clean url' do
+      let(:url) { "https://tps.fr/toto" }
+      it { is_expected.to eq(url) }
+    end
+
+    describe 'clean a dangerous url' do
+      let(:url) { "javascript:alert('coucou jtai hacké')" }
+      it { is_expected.to eq(root_url) }
+    end
+
+    describe 'can deal with a nil url' do
+      let(:url) { nil }
+      it { is_expected.to be_nil }
+    end
+  end
+end