Merge pull request #3789 from samvera/collection_logo_link

Verifiy the validity of the the Link URL supplied for the collection logo

app/controllers/hyrax/dashboard/collections_controller.rb

@@ -279,10 +279,10 @@ def process_logo_records(uploaded_file_ids)
           public_files = []
           uploaded_file_ids.each_with_index do |ufi, i|
             if ufi.include?('public')
-              update_logo_info(ufi, params["alttext"][i], params["linkurl"][i])
+              update_logo_info(ufi, params["alttext"][i], verify_linkurl(params["linkurl"][i]))
               public_files << ufi
             else # brand new one, insert in the database
-              logo_info = create_logo_info(ufi, params["alttext"][i], params["linkurl"][i])
+              logo_info = create_logo_info(ufi, params["alttext"][i], verify_linkurl(params["linkurl"][i]))
               public_files << logo_info.local_path
             end
           end
@@ -458,6 +458,17 @@ def collection_object
         def params_for_query
           params.merge(q: params[:cq])
         end
+
+        # Only accept HTTP|HTTPS urls;
+        # @return <String> the url
+        def verify_linkurl(linkurl)
+          url = Loofah.scrub_fragment(linkurl, :prune).to_s
+          url if valid_url?(url)
+        end
+
+        def valid_url?(url)
+          (url =~ URI.regexp(['http', 'https']))
+        end
     end
   end
 end

spec/controllers/hyrax/dashboard/collections_controller_spec.rb

@@ -294,6 +294,49 @@
 
         expect(CollectionBrandingInfo.where(collection_id: collection.id, role: "logo", alt_text: "Logo alt Text", target_url: "http://abc.com").where("local_path LIKE '%logo.gif'")).to exist
       end
+
+      context 'where the linkurl is not a valid http|http link' do
+        it "does not save linkurl containing html; target_url is empty" do
+          val = double(["/public/logo.gif"])
+          allow(val).to receive(:file_url).and_return("/public/logo.gif")
+          allow(Hyrax::UploadedFile).to receive(:find).with("1").and_return(val)
+
+          allow(File).to receive(:split).with(any_args).and_return(["logo.gif"])
+          allow(FileUtils).to receive(:cp).with(any_args).and_return(nil)
+
+          put :update, params: { id: collection, logo_files: [1], alttext: ["Logo alt Text"], linkurl: ["<script>remove_me</script>"], collection: { creator: ['Emily'] }, update_collection: true }
+          collection.reload
+
+          expect(
+            CollectionBrandingInfo.where(
+              collection_id: collection.id,
+              role: "logo",
+              alt_text: "Logo alt Text",
+              target_url: "<script>remove_me</script>"
+            ).where("target_url LIKE '%remove_me%)'")
+          ).not_to exist
+        end
+
+        it "does not save linkurl containing dodgy protocol; target_url is empty" do
+          val = double(["/public/logo.gif"])
+          allow(val).to receive(:file_url).and_return("/public/logo.gif")
+          allow(Hyrax::UploadedFile).to receive(:find).with("1").and_return(val)
+
+          allow(File).to receive(:split).with(any_args).and_return(["logo.gif"])
+          allow(FileUtils).to receive(:cp).with(any_args).and_return(nil)
+
+          put :update, params: { id: collection, logo_files: [1], alttext: ["Logo alt Text"], linkurl: ['javascript:alert("remove_me")'], collection: { creator: ['Emily'] }, update_collection: true }
+          collection.reload
+          expect(
+            CollectionBrandingInfo.where(
+              collection_id: collection.id,
+              role: "logo",
+              alt_text: "Logo alt Text",
+              target_url: 'javascript:alert("remove_me")'
+            ).where("target_url LIKE '%remove_me%)'")
+          ).not_to exist
+        end
+      end
     end
   end