Add URL validation to external link to prevent XSS (#846)

Co-authored-by: Baptiste Jonglez <git@bitsofnetworks.org>
2025-04-28 17:32:38 +02:00 · 2021-10-10 18:39:03 +02:00 · 2021-10-10 18:39:03 +02:00 · 7554842b1f
commit 7554842b1f
parent c1ef4033b6
2 changed files with 31 additions and 1 deletions
--- a/ihatemoney/forms.py
+++ b/ihatemoney/forms.py
@ -13,6 +13,7 @@ from wtforms.fields.core import Label, SelectField, SelectMultipleField
 from wtforms.fields.html5 import DateField, DecimalField, URLField
 from wtforms.fields.simple import BooleanField, PasswordField, StringField, SubmitField
 from wtforms.validators import (
+    URL,
    DataRequired,
    Email,
    EqualTo,
@ -292,7 +293,7 @@ class BillForm(FlaskForm):
    original_currency = SelectField(_("Currency"), validators=[DataRequired()])
    external_link = URLField(
        _("External link"),
-        validators=[Optional()],
+        validators=[Optional(), URL()],
        description=_("A link to an external document, related to this bill"),
    )
    payed_for = SelectMultipleField(
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@ -675,6 +675,35 @@ class BudgetTestCase(IhatemoneyTestCase):
        bill = models.Bill.query.filter(models.Bill.date == "2011-08-01")[0]
        self.assertEqual(bill.amount, 25.02)

+        # add a bill with a valid external link
+        self.client.post(
+            "/raclette/add",
+            data={
+                "date": "2015-05-05",
+                "what": "fromage à raclette",
+                "payer": members_ids[0],
+                "payed_for": members_ids,
+                "amount": "42",
+                "external_link": "https://example.com/fromage",
+            },
+        )
+        bill = models.Bill.query.filter(models.Bill.date == "2015-05-05")[0]
+        self.assertEqual(bill.external_link, "https://example.com/fromage")
+
+        # add a bill with an invalid external link
+        resp = self.client.post(
+            "/raclette/add",
+            data={
+                "date": "2015-05-06",
+                "what": "mauvais fromage à raclette",
+                "payer": members_ids[0],
+                "payed_for": members_ids,
+                "amount": "42000",
+                "external_link": "javascript:alert('Tu bluffes, Martoni.')",
+            },
+        )
+        self.assertIn("Invalid URL", resp.data.decode("utf-8"))
+
    def test_weighted_balance(self):
        self.post_project("raclette")