Add homepage url to user profile

app/controllers/profiles_controller.rb

@@ -66,7 +66,7 @@ def params_user
     end
   end
 
-  PERMITTED_PROFILE_PARAMS = %i[handle twitter_username unconfirmed_email public_email full_name].freeze
+  PERMITTED_PROFILE_PARAMS = %i[handle twitter_username unconfirmed_email homepage_url public_email full_name].freeze
 
   def verify_password
     password = params.expect(user: :password)[:password]

app/controllers/users_controller.rb

@@ -27,6 +27,7 @@ def create
     password
     website
     twitter_username
+    homepage_url
     full_name
   ].freeze
 

app/helpers/url_helper.rb

@@ -0,0 +1,7 @@
+module UrlHelper
+  def display_safe_url(url)
+    return "" if url.blank?
+    return h(url) if url.start_with?("https://", "http://")
+    "https://#{h(url)}"
+  end
+end

app/models/user.rb

@@ -83,6 +83,8 @@ class User < ApplicationRecord
     message: "can only contain letters, numbers, and underscores"
   }, allow_nil: true, length: { within: 0..20 }
 
+  validates :homepage_url, http_url: true, allow_blank: true
+
   validates :password,
     length: { minimum: 10 },
     unpwn: true,
@@ -352,7 +354,7 @@ def clear_personal_attributes
       handle: nil, email_confirmed: false,
       unconfirmed_email: nil, blocked_email: nil,
       api_key: nil, confirmation_token: nil, remember_token: nil,
-      twitter_username: nil, webauthn_id: nil, full_name: nil,
+      twitter_username: nil, webauthn_id: nil, full_name: nil, homepage_url: nil,
       totp_seed: nil, mfa_hashed_recovery_codes: nil,
       mfa_level: :disabled,
       password: SecureRandom.hex(20).encode("UTF-8")

app/views/dashboards/_subject.html.erb

@@ -21,6 +21,20 @@
     </div>
   <% end %>
 
+  <% if user.homepage_url.present? %>
+    <div class="flex items-center mb-4 text-b3 lg:text-b2">
+      <%= icon_tag("link", color: :primary, class: "w-6 text-orange mr-3") %>
+      <p class="text-neutral-800 dark:text-white"><%=
+        link_to(
+          truncate(display_safe_url(user.homepage_url), length: 20),
+          display_safe_url(user.homepage_url),
+          rel: "nofollow",
+          data: { confirm: "You are about to be redirected #{display_safe_url(user.homepage_url)}" }
+        )
+      %></p>
+    </div>
+  <% end %>
+
   <% if user.twitter_username.present? %>
     <div class="flex items-center mb-4 text-b3 lg:text-b2">
       <%= icon_tag("x-twitter", color: :primary, class: "w-6 text-orange mr-3") %>

app/views/profiles/edit.html.erb

@@ -20,6 +20,11 @@
     <%= form.text_field :handle, :class => 'form__input' %>
   </div>
 
+  <div class="text_field">
+   <%= form.label :homepage_url, class: 'form__label' %>
+   <%= form.text_field(:homepage_url, class: 'form__input') %>
+  </div>
+
   <div class="text_field">
     <%= form.label :twitter_username, class: 'form__label form__label__icon-container' do %>
       <%=

app/views/profiles/show.html.erb

@@ -94,6 +94,19 @@
             )
           %>
         <% end %>
+        <% if @user.homepage_url.present? %>
+          <p id="homepage-url">
+            <%=
+               link_to(
+                truncate(display_safe_url(@user.homepage_url),length: 20),
+                display_safe_url(@user.homepage_url),
+                rel: "nofollow",
+                class: "profile__header__attribute t-link--black",
+                data: { confirm: "You are about to be redirected #{display_safe_url(@user.homepage_url)} " }
+              )
+            %>
+          </p>
+        <% end %>
       <% end %>
     </div>
 

db/migrate/20241114211431_add_homepage_url_to_users.rb

@@ -0,0 +1,5 @@
+class AddHomepageUrlToUsers < ActiveRecord::Migration[7.2]
+  def change
+    add_column :users, :homepage_url, :string
+  end
+end

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2024_11_04_065953) do
+ActiveRecord::Schema[7.2].define(version: 2024_11_14_211431) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "hstore"
   enable_extension "pgcrypto"
@@ -557,6 +557,7 @@
     t.string "mfa_hashed_recovery_codes", default: [], array: true
     t.boolean "public_email", default: false, null: false
     t.datetime "deleted_at"
+    t.string "homepage_url"
     t.index "lower((email)::text) varchar_pattern_ops", name: "index_users_on_lower_email"
     t.index ["email"], name: "index_users_on_email"
     t.index ["handle"], name: "index_users_on_handle"

lib/http_url_validator.rb

@@ -0,0 +1,8 @@
+class HttpUrlValidator < ActiveModel::EachValidator
+  def validate_each(record, attribute, value)
+    uri = URI::DEFAULT_PARSER.parse(value)
+    record.errors.add attribute, "is not a valid URL" unless [URI::HTTP, URI::HTTPS].member?(uri.class)
+  rescue URI::InvalidURIError
+    record.errors.add attribute, "is not a valid URL"
+  end
+end

test/integration/profile_test.rb

@@ -133,6 +133,21 @@ def sign_out
     assert page.has_link?("@nick1", href: "https://twitter.com/nick1")
   end
 
+  test "adding homepage url" do
+    sign_in
+    visit profile_path("nick1")
+
+    click_link "Edit Profile"
+    fill_in "user_homepage_url", with: "https://nickisawesome.com"
+    fill_in "Password", with: PasswordHelpers::SECURE_TEST_PASSWORD
+    click_button "Update"
+
+    click_link "Sign out"
+    visit profile_path("nick1")
+
+    assert page.has_link?("https://nickisawe...")
+  end
+
   test "deleting profile" do
     sign_in
     visit profile_path("nick1")

test/models/user_test.rb

@@ -172,6 +172,19 @@ class UserTest < ActiveSupport::TestCase
       should_not allow_value("012345678901234567890").for(:twitter_username)
     end
 
+    context "homepage url" do
+      should allow_value("https://www.mywebsite.com").for(:homepage_url)
+      should allow_value("http://www.mywebsite.com").for(:homepage_url)
+      should_not allow_value("<html><body>hi</body><html>").for(:homepage_url)
+      should_not allow_value("javascript:alert('hello');").for(:homepage_url)
+      should_not allow_value("file:///etc/passwd").for(:homepage_url)
+      should_not allow_value("file://C:/Windows/System32/cmd.exe").for(:homepage_url)
+      should_not allow_value("data:text/html,<script>alert('XSS')</script>").for(:homepage_url)
+      should_not allow_value("data:text/html;base64,SGVsbG8sIFdvcmxkIQ==").for(:homepage_url)
+      should_not allow_value("data:text/html,<img src='x' onerror='alert(1)'>").for(:homepage_url)
+      should_not allow_value("data:text/html,<iframe src='javascript:alert(1)'></iframe>").for(:homepage_url)
+    end
+
     context "password" do
       should "be between 10 characters and 72 bytes" do
         user = build(:user, password: "%5a&12ed/")

test/unit/helpers/url_helper_test.rb

@@ -0,0 +1,33 @@
+require "test_helper"
+
+class UrlHelperTest < ActionView::TestCase
+  include ERB::Util
+  context "display_safe_url" do
+    should "return url if it begins with https" do
+      assert_equal "https://www.awesomesite.com", display_safe_url("https://www.awesomesite.com")
+    end
+    should "return empty string if url is empty" do
+      assert_equal "", display_safe_url("")
+    end
+
+    should "display a url starting with http" do
+      assert_equal "http://www.awesomesite.com", display_safe_url("http://www.awesomesite.com")
+    end
+
+    should "return link with https if it does not begin with https" do
+      assert_equal "https://javascript:alert(&#39;hello&#39;);", display_safe_url("javascript:alert('hello');")
+    end
+
+    should "escape html" do
+      assert_equal "https://&lt;script&gt;alert(&#39;hello&#39;);&lt;/script&gt;https://www", display_safe_url("<script>alert('hello');</script>https://www")
+    end
+
+    should "prepend https if url does not begin with http or https" do
+      assert_equal "https://www.awesomesite.com/https://javascript:alert(&#39;hello&#39;);", display_safe_url("www.awesomesite.com/https://javascript:alert('hello');")
+    end
+
+    should "return empty string if url is nil" do
+      assert_equal "", display_safe_url(nil)
+    end
+  end
+end