almet/ihatemoney
1
0
Fork 0
mirror of https://github.com/spiral-project/ihatemoney.git synced 2025-04-28 17:32:38 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

Add URL validation to external link to prevent XSS (#846)

Browse source 
Co-authored-by: Baptiste Jonglez <git@bitsofnetworks.org>
This commit is contained in:
zorun 2021-10-10 18:39:03 +02:00 committed by GitHub
parent c1ef4033b6
commit 7554842b1f
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 31 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
ihatemoney/forms.py
View file

@ -13,6 +13,7 @@ from wtforms.fields.core import Label, SelectField, SelectMultipleField
from wtforms.fields.html5 import DateField, DecimalField, URLField from wtforms.fields.html5 import DateField, DecimalField, URLField
from wtforms.fields.simple import BooleanField, PasswordField, StringField, SubmitField from wtforms.fields.simple import BooleanField, PasswordField, StringField, SubmitField
from wtforms.validators import ( from wtforms.validators import (
URL,
DataRequired, DataRequired,
Email, Email,
EqualTo, EqualTo,
@ -292,7 +293,7 @@ class BillForm(FlaskForm):
original_currency = SelectField(_("Currency"), validators=[DataRequired()]) original_currency = SelectField(_("Currency"), validators=[DataRequired()])
external_link = URLField( external_link = URLField(
_("External link"), _("External link"),
validators=[Optional()], validators=[Optional(), URL()],
description=_("A link to an external document, related to this bill"), description=_("A link to an external document, related to this bill"),
) )
payed_for = SelectMultipleField( payed_for = SelectMultipleField(

29
ihatemoney/tests/budget_test.py
View file

@ -675,6 +675,35 @@ class BudgetTestCase(IhatemoneyTestCase):
bill = models.Bill.query.filter(models.Bill.date == "2011-08-01")[0] bill = models.Bill.query.filter(models.Bill.date == "2011-08-01")[0]
self.assertEqual(bill.amount, 25.02) self.assertEqual(bill.amount, 25.02)
# add a bill with a valid external link
self.client.post(
"/raclette/add",
data={
"date": "2015-05-05",
"what": "fromage à raclette",
"payer": members_ids[0],
"payed_for": members_ids,
"amount": "42",
"external_link": "https://example.com/fromage",
},
)
bill = models.Bill.query.filter(models.Bill.date == "2015-05-05")[0]
self.assertEqual(bill.external_link, "https://example.com/fromage")
# add a bill with an invalid external link
resp = self.client.post(
"/raclette/add",
data={
"date": "2015-05-06",
"what": "mauvais fromage à raclette",
"payer": members_ids[0],
"payed_for": members_ids,
"amount": "42000",
"external_link": "javascript:alert('Tu bluffes, Martoni.')",
},
)
self.assertIn("Invalid URL", resp.data.decode("utf-8"))
def test_weighted_balance(self): def test_weighted_balance(self):
self.post_project("raclette") self.post_project("raclette")