From b2745d8aee2180ecac09d7ec29f951bd04582674 Mon Sep 17 00:00:00 2001
From: Daniela Soares Feitosa <danielafeitosa@colivre.coop.br>
Date: Tue, 4 Jun 2013 04:52:58 -0300
Subject: [PATCH] Filtering events links only with white_list

---
 app/models/event.rb     | 1 -
 test/unit/event_test.rb | 8 ++++++++
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/app/models/event.rb b/app/models/event.rb
index 6f88de4..712a4cd 100644
--- a/app/models/event.rb
+++ b/app/models/event.rb
@@ -14,7 +14,6 @@ class Event < Article
     maybe_add_http(self.setting[:link])
   end
 
-  xss_terminate :only => [ :link ], :on => 'validation'
   xss_terminate :only => [ :body, :link, :address ], :with => 'white_list', :on => 'validation'
 
   def initialize(*args)
diff --git a/test/unit/event_test.rb b/test/unit/event_test.rb
index d0b2d7c..8908127 100644
--- a/test/unit/event_test.rb
+++ b/test/unit/event_test.rb
@@ -248,6 +248,14 @@ class EventTest < ActiveSupport::TestCase
     assert_equal "<strong> Address <strong>", event.address
   end
 
+  should 'not filter & on link field' do
+    event = Event.new
+    event.link = 'myevent.com/?param1=value&param2=value2'
+    event.valid?
+
+    assert_equal "http://myevent.com/?param1=value&param2=value2", event.link
+  end
+
   should 'escape malformed html tags' do
     event = Event.new
     event.body = "<h1<< Description >>/h1>"
--
libgit2 0.21.2