diff --git a/decidim-core/spec/helpers/decidim/external_domain_helper_spec.rb b/decidim-core/spec/helpers/decidim/external_domain_helper_spec.rb
index 70845ace524f..7b4be78cbcdc 100644
--- a/decidim-core/spec/helpers/decidim/external_domain_helper_spec.rb
+++ b/decidim-core/spec/helpers/decidim/external_domain_helper_spec.rb
@@ -5,10 +5,14 @@
module Decidim
describe ExternalDomainHelper do
context "when everything is OK" do
- before { helper.instance_variable_set(:@url_parts, { protocol: "https:", domain: "decidim.barcelona", path: "/processes" }) }
+ before do
+ # rubocop:disable RSpec/AnyInstance
+ allow_any_instance_of(ActionView::Base).to receive(:external_url).and_return(URI.parse("https://decidim.barcelona/processes"))
+ # rubocop:enable RSpec/AnyInstance
+ end
it "highlights domain" do
- expect(helper.highlight_domain).to include('class="alert">decidim.barcelona')
+ expect(helper.highlight_domain).to include('class="text-alert">decidim.barcelona')
end
end
end
diff --git a/decidim-core/spec/system/external_domain_warning_spec.rb b/decidim-core/spec/system/external_domain_warning_spec.rb
index e49d0186e291..018d4469e340 100644
--- a/decidim-core/spec/system/external_domain_warning_spec.rb
+++ b/decidim-core/spec/system/external_domain_warning_spec.rb
@@ -37,11 +37,84 @@
end
end
- context "when the url is malformed" do
- let(:invalid_url) do
- "http://#{organization.host}/link?external_url=javascript:alert(document.location.host)//%0ahttps://www.example.org"
+ context "when url has missing protocols" do
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=//example.org/some/path" }
+
+ it "shows invalid url alert" do
+ visit invalid_url
+ expect(page).to have_content("Invalid URL")
end
- let!(:invalid_url2) do
+ end
+
+ context "when url has a port" do
+ let(:destination) { "http://example.org:3000/some/path" }
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=#{destination}" }
+
+ it "shows invalid url alert" do
+ visit invalid_url
+ expect(page).not_to have_content("Invalid URL")
+ expect(page).to have_content(destination)
+ expect(page).to have_link("Proceed", href: destination)
+ end
+ end
+
+ context "when url has invalid protocols" do
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=javascript://example.org%250aalert(document.location.host)" }
+
+ it "shows invalid url alert" do
+ visit invalid_url
+ expect(page).to have_content("Invalid URL")
+ end
+ end
+
+ context "when url is double encoded" do
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=http://example.org%250ajavascript:alert(document.location.host)" }
+
+ it "shows invalid url alert" do
+ visit invalid_url
+ expect(page).to have_content("Invalid URL")
+ end
+ end
+
+ context "when url is not HTTP" do
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=ftp://example.org/some/path" }
+
+ it "shows invalid url alert" do
+ visit invalid_url
+ expect(page).to have_content("Invalid URL")
+ end
+ end
+
+ context "when url starts with HTTP but is not valid protocol" do
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=httpfoobar://example.org/some/path" }
+
+ it "shows invalid url alert" do
+ visit invalid_url
+ expect(page).to have_content("Invalid URL")
+ end
+ end
+
+ context "when url starts with HTTPS but is not valid protocol" do
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=httpsfoobar://example.org/some/path" }
+
+ it "shows invalid url alert" do
+ visit invalid_url
+ expect(page).to have_content("Invalid URL")
+ end
+ end
+
+ context "when the url is malformed using a simple scenario" do
+ let(:invalid_url) { "http://#{organization.host}/link?external_url=javascript:alert(document.location.host)//%0ahttps://www.example.org" }
+
+ it "shows invalid url alert when using simple scenario" do
+ visit invalid_url
+ expect(page).to have_content("Invalid URL")
+ expect(page).to have_current_path(decidim.root_path, ignore_query: true)
+ end
+ end
+
+ context "when the url is malformed using a complex scenario" do
+ let(:invalid_url) do
%W(
http://#{organization.host}/link?external_url=javascript:fetch%28%22%2Fprocesses%2Fconsequuntur%2Daperiam%2Ff%2F12%2F
proposals%2F8%2Fproposal%5Fvote%22%2C%20%7B%22headers%22%3A%7B%22x%2Dcsrf%2Dtoken%22%3Adocument%2EquerySelectorAll%28
@@ -51,24 +124,18 @@
).join
end
- it "shows invalid url alert when using simple scenario" do
- visit invalid_url
- expect(page).to have_content("Invalid URL")
- expect(page).to have_current_path(decidim.root_path, ignore_query: true)
- end
-
it "shows invalid url alert when using complex scenario" do
- visit invalid_url2
+ visit invalid_url
expect(page).to have_content("Invalid URL")
expect(page).to have_current_path(decidim.root_path, ignore_query: true)
end
end
context "without param" do
- let(:no_param) { "http://#{organization.host}/link" }
+ let(:invalid_url) { "http://#{organization.host}/link" }
it "shows invalid url alert" do
- visit no_param
+ visit invalid_url
expect(page).to have_content("Invalid URL")
expect(page).to have_current_path decidim.root_path
end