almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-04-28 17:32:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Surround email in case of error (#1044)

Browse source 
fix https://huntr.dev/bounties/441cc44c-6837-46ec-9b30-52455aa71a2f/
This commit is contained in:
Glandos 2022-07-16 23:26:51 +02:00 committed by GitHub
parent e9b7426a98
commit 667b65b9cc
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 20 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ihatemoney/forms.py
View file

@ -41,6 +41,7 @@ from wtforms.validators import (
from ihatemoney.currency_convertor import CurrencyConverter from ihatemoney.currency_convertor import CurrencyConverter
from ihatemoney.models import Bill, LoggingMode, Person, Project from ihatemoney.models import Bill, LoggingMode, Person, Project
from ihatemoney.utils import ( from ihatemoney.utils import (
em_surround,
eval_arithmetic_expression, eval_arithmetic_expression,
render_localized_currency, render_localized_currency,
slugify, slugify,
@ -439,7 +440,7 @@ class InviteForm(FlaskForm):
email_validator.validate_email(email) email_validator.validate_email(email)
except email_validator.EmailNotValidError: except email_validator.EmailNotValidError:
raise ValidationError( raise ValidationError(
_("The email %(email)s is not valid", email=email) _("The email %(email)s is not valid", email=em_surround(email))
) )

19
ihatemoney/tests/budget_test.py
View file

@ -58,7 +58,24 @@ class BudgetTestCase(IhatemoneyTestCase):
with self.app.mail.record_messages() as outbox: with self.app.mail.record_messages() as outbox:
response = self.client.post("/raclette/invite", data={"emails": "toto"}) response = self.client.post("/raclette/invite", data={"emails": "toto"})
self.assertEqual(len(outbox), 0) # no message sent self.assertEqual(len(outbox), 0) # no message sent
self.assertIn("The email toto is not valid", response.data.decode("utf-8")) self.assertIn(
'The email <em class="font-italic">toto</em> is not valid',
response.data.decode("utf-8"),
)
# mail address checking for escaping
with self.app.mail.record_messages() as outbox:
response = self.client.post(
"/raclette/invite",
data={"emails": "<img src=x onerror=alert(document.domain)>"},
)
self.assertEqual(len(outbox), 0) # no message sent
self.assertIn(
'The email <em class="font-italic">'
"&lt;img src=x onerror=alert(document.domain)&gt;"
"</em> is not valid",
response.data.decode("utf-8"),
)
# mixing good and wrong addresses shouldn't send any messages # mixing good and wrong addresses shouldn't send any messages
with self.app.mail.record_messages() as outbox: with self.app.mail.record_messages() as outbox: