Fix XSS, tests, and rubocop

ArtOfCode- · ArtOfCode- · commit 622fdfe3db49 · 2025-10-10T02:39:12.000+01:00
diff --git a/app/controllers/complaints_controller.rb b/app/controllers/complaints_controller.rb
@@ -57,6 +57,7 @@ def show
   private
 
   def access_check(complaint)
+    # rubocop:disable Lint/DuplicateBranch
     if user_signed_in? && (current_user.staff? || current_user == complaint.user)
       # only allow complainants to access their own complaints regardless of access token
       true
@@ -66,5 +67,6 @@ def access_check(complaint)
     else
       raise ActiveRecord::RecordNotFound
     end
+    # rubocop:enable Lint/DuplicateBranch
   end
 end
diff --git a/app/models/complaint.rb b/app/models/complaint.rb
@@ -20,7 +20,7 @@ def update_status(new_status, attribute_to = nil)
     attribution = attribute_to.nil? ? 'automatically' : "by #{attribute_to}"
     comments.create(content: "Status updated to #{new_status} at #{dt.iso8601} #{attribution}.", internal: true,
                     user_id: -1)
-    # TODO send email
+    # TODO: send email
   end
 
   private
diff --git a/app/views/complaints/show.html.erb b/app/views/complaints/show.html.erb
@@ -12,7 +12,7 @@
           <div class="grid--cell is-3">Reported URL</div>
           <div class="grid--cell is-9 has-color-yellow-700">
             <i class="fas fa-exclamation-triangle"></i>
-            <%= link_to @complaint.reported_url, @complaint.reported_url, class: 'is-yellow' %>
+            <%= sanitize(link_to(@complaint.reported_url, @complaint.reported_url, class: 'is-yellow')) %>
           </div>
 
           <% if @content_type.present? %>
diff --git a/test/controllers/complaints_controller_test.rb b/test/controllers/complaints_controller_test.rb
@@ -43,7 +43,7 @@ class ComplaintsControllerTest < ActionDispatch::IntegrationTest
                       content: 'test', email: 'something@else.com', user_wants_updates: true
     assert_response(:found)
     assert_not_nil assigns(:complaint)
-    assert_redirected_to complaint_path(@complaint.access_token)
+    assert_redirected_to complaint_path(assigns(:complaint).access_token)
     assert_equal users(:basic_user).email, assigns(:complaint).email
   end
 
@@ -52,7 +52,7 @@ class ComplaintsControllerTest < ActionDispatch::IntegrationTest
                       content: 'test', email: 'something@else.com', user_wants_updates: true
     assert_response(:found)
     assert_not_nil assigns(:complaint)
-    assert_redirected_to complaint_path(@complaint.access_token)
+    assert_redirected_to complaint_path(assigns(:complaint).access_token)
     assert_equal 'something@else.com', assigns(:complaint).email
   end
 
