Unvalidated redirect spec added

spec/features/unvalidated_redirects_spec.rb

@@ -0,0 +1,19 @@
+require 'spec_helper'
+
+feature 'unvalidated redirect' do
+  before do
+    UserFixture.reset_all_users
+    @normal_user = UserFixture.normal_user
+  end
+
+  scenario 'login redirects to anywhere', :js => true do
+    visit '/?url=http://example.com/do/evil/things'
+    within('.signup') do
+      fill_in 'email', :with => @normal_user.email
+      fill_in 'password', :with => @normal_user.clear_password
+    end
+    click_on 'Login'
+
+    current_url.should == 'http://example.com/do/evil/things'
+  end
+end