diff --git a/ihatemoney/forms.py b/ihatemoney/forms.py
index 315a2ab7..af44ead7 100644
--- a/ihatemoney/forms.py
+++ b/ihatemoney/forms.py
@@ -41,6 +41,7 @@ from wtforms.validators import (
from ihatemoney.currency_convertor import CurrencyConverter
from ihatemoney.models import Bill, LoggingMode, Person, Project
from ihatemoney.utils import (
+ em_surround,
eval_arithmetic_expression,
render_localized_currency,
slugify,
@@ -439,7 +440,7 @@ class InviteForm(FlaskForm):
email_validator.validate_email(email)
except email_validator.EmailNotValidError:
raise ValidationError(
- _("The email %(email)s is not valid", email=email)
+ _("The email %(email)s is not valid", email=em_surround(email))
)
diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py
index b4fab7c4..261a958b 100644
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@@ -58,7 +58,24 @@ class BudgetTestCase(IhatemoneyTestCase):
with self.app.mail.record_messages() as outbox:
response = self.client.post("/raclette/invite", data={"emails": "toto"})
self.assertEqual(len(outbox), 0) # no message sent
- self.assertIn("The email toto is not valid", response.data.decode("utf-8"))
+ self.assertIn(
+ 'The email toto is not valid',
+ response.data.decode("utf-8"),
+ )
+
+ # mail address checking for escaping
+ with self.app.mail.record_messages() as outbox:
+ response = self.client.post(
+ "/raclette/invite",
+ data={"emails": "
"},
+ )
+ self.assertEqual(len(outbox), 0) # no message sent
+ self.assertIn(
+ 'The email '
+ "<img src=x onerror=alert(document.domain)>"
+ " is not valid",
+ response.data.decode("utf-8"),
+ )
# mixing good and wrong addresses shouldn't send any messages
with self.app.mail.record_messages() as outbox: