Encode site domain when redirecting a shared link

Fixes plausible#376
payout-one · Dec 23, 2020 · 55e4e59 · 55e4e59
1 parent e338f58
commit 55e4e59
Show file tree

Hide file tree

Showing 2 changed files with 9 additions and 1 deletion.
diff --git a/lib/plausible_web/controllers/stats_controller.ex b/lib/plausible_web/controllers/stats_controller.ex
@@ -109,7 +109,7 @@ defmodule PlausibleWeb.StatsController do
     |> put_session(shared_link_key, %{
       valid_until: Timex.now() |> Timex.shift(hours: 1) |> DateTime.to_unix()
     })
-    |> redirect(to: "/#{shared_link.site.domain}")
+    |> redirect(to: "/#{URI.encode_www_form(shared_link.site.domain)}")
   end
 
   defp remove_email_report_banner(conn, site) do

diff --git a/test/plausible_web/controllers/stats_controller_test.exs b/test/plausible_web/controllers/stats_controller_test.exs
@@ -73,6 +73,14 @@ defmodule PlausibleWeb.StatsControllerTest do
       conn = get(conn, "/#{site.domain}")
       assert html_response(conn, 200) =~ "stats-react-container"
     end
+
+    test "encodes URI when redirecting", %{conn: conn} do
+      site = insert(:site, domain: "test-site.com/wat")
+      link = insert(:shared_link, site: site)
+
+      conn = get(conn, "/share/#{link.slug}")
+      assert redirected_to(conn, 302) == "/test-site.com%2Fwat"
+    end
   end
 
   describe "POST /share/:slug/authenticate" do