Surround email in case of error (#1044)

fix https://huntr.dev/bounties/441cc44c-6837-46ec-9b30-52455aa71a2f/
2025-04-28 17:32:38 +02:00 · 2022-07-16 23:26:51 +02:00 · 2022-07-16 23:26:51 +02:00 · 667b65b9cc
commit 667b65b9cc
parent e9b7426a98
2 changed files with 20 additions and 2 deletions
--- a/ihatemoney/forms.py
+++ b/ihatemoney/forms.py
@ -41,6 +41,7 @@ from wtforms.validators import (
 from ihatemoney.currency_convertor import CurrencyConverter
 from ihatemoney.models import Bill, LoggingMode, Person, Project
 from ihatemoney.utils import (
+    em_surround,
    eval_arithmetic_expression,
    render_localized_currency,
    slugify,
@ -439,7 +440,7 @@ class InviteForm(FlaskForm):
                email_validator.validate_email(email)
            except email_validator.EmailNotValidError:
                raise ValidationError(
-                    _("The email %(email)s is not valid", email=email)
+                    _("The email %(email)s is not valid", email=em_surround(email))
                )


--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@ -58,7 +58,24 @@ class BudgetTestCase(IhatemoneyTestCase):
        with self.app.mail.record_messages() as outbox:
            response = self.client.post("/raclette/invite", data={"emails": "toto"})
            self.assertEqual(len(outbox), 0)  # no message sent
-            self.assertIn("The email toto is not valid", response.data.decode("utf-8"))
+            self.assertIn(
+                'The email <em class="font-italic">toto</em> is not valid',
+                response.data.decode("utf-8"),
+            )
+
+        # mail address checking for escaping
+        with self.app.mail.record_messages() as outbox:
+            response = self.client.post(
+                "/raclette/invite",
+                data={"emails": "<img src=x onerror=alert(document.domain)>"},
+            )
+            self.assertEqual(len(outbox), 0)  # no message sent
+            self.assertIn(
+                'The email <em class="font-italic">'
+                "&lt;img src=x onerror=alert(document.domain)&gt;"
+                "</em> is not valid",
+                response.data.decode("utf-8"),
+            )

        # mixing good and wrong addresses shouldn't send any messages
        with self.app.mail.record_messages() as outbox: