Potential fix for pull request finding

jazairi · Copilot · web-flow · commit 5fcf9c513b6a · 2026-06-17T17:53:22.000-04:00
Co-authored-by: Copilot Autofix powered by AI &lt;175728472+Copilot@users.noreply.github.com&gt;
diff --git a/test/controllers/thirdiron_controller_test.rb b/test/controllers/thirdiron_controller_test.rb
@@ -131,6 +131,18 @@ class ThirdironControllerTest < ActionDispatch::IntegrationTest
     end
   end
 
+  test 'browzine route ignores unsafe full_record_url values' do
+    VCR.use_cassette('browzine issn') do
+      get '/browzine?issn=1546170X&full_record_url=javascript:alert(1)'
+
+      assert_response :success
+
+      # Unsafe URL should not produce a "Full-text options" button
+      assert_select 'a.button', { count: 0 }
+      assert_select 'a.libkey-link', { count: 1 }
+    end
+  end
+
   test 'browzine route for non-existent issn returns blank' do
     # Browzine responds here, so we have a cassette - but the response is empty
     VCR.use_cassette('browzine nonexistent') do
