almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-05-06 05:01:48 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add URL validation to external link to prevent XSS

Browse source
This commit is contained in:
Baptiste Jonglez 2021-10-10 18:13:23 +02:00
parent bbe00ebb57
commit 312aa20ced
2 changed files with 31 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ihatemoney/forms.py
View file

@ -13,6 +13,7 @@ from wtforms.fields.core import Label, SelectField, SelectMultipleField
from wtforms.fields.html5 import DateField, DecimalField, URLField from wtforms.fields.html5 import DateField, DecimalField, URLField
from wtforms.fields.simple import BooleanField, PasswordField, StringField, SubmitField from wtforms.fields.simple import BooleanField, PasswordField, StringField, SubmitField
from wtforms.validators import ( from wtforms.validators import (
URL,
DataRequired, DataRequired,
Email, Email,
EqualTo, EqualTo,
@ -292,7 +293,7 @@ class BillForm(FlaskForm):
original_currency = SelectField(_("Currency"), validators=[DataRequired()]) original_currency = SelectField(_("Currency"), validators=[DataRequired()])
external_link = URLField( external_link = URLField(
_("External link"), _("External link"),
validators=[Optional()], validators=[Optional(), URL()],
description=_("A link to an external document, related to this bill"), description=_("A link to an external document, related to this bill"),
) )
payed_for = SelectMultipleField( payed_for = SelectMultipleField(

29
ihatemoney/tests/budget_test.py
View file

@ -675,6 +675,35 @@ class BudgetTestCase(IhatemoneyTestCase):
bill = models.Bill.query.filter(models.Bill.date == "2011-08-01")[0] bill = models.Bill.query.filter(models.Bill.date == "2011-08-01")[0]
self.assertEqual(bill.amount, 25.02) self.assertEqual(bill.amount, 25.02)
# add a bill with a valid external link
self.client.post(
"/raclette/add",
data={
"date": "2015-05-05",
"what": "fromage à raclette",
"payer": members_ids[0],
"payed_for": members_ids,
"amount": "42",
"external_link": "https://example.com/fromage",
},
)
bill = models.Bill.query.filter(models.Bill.date == "2015-05-05")[0]
self.assertEqual(bill.external_link, "https://example.com/fromage")
# add a bill with an invalid external link
resp = self.client.post(
"/raclette/add",
data={
"date": "2015-05-06",
"what": "mauvais fromage à raclette",
"payer": members_ids[0],
"payed_for": members_ids,
"amount": "42000",
"external_link": "javascript:alert('Tu bluffes, Martoni.')",
},
)
self.assertIn("Invalid URL", resp.data.decode("utf-8"))
def test_weighted_balance(self): def test_weighted_balance(self):
self.post_project("raclette") self.post_project("raclette")