[#7248] Sanitize admin email content with sanitizeForRichText (#7250)

TEAMMATES · May 11, 2017 · 7d2a4d9 · 7d2a4d9
1 parent 571d74f
commit 7d2a4d9
Show file tree

Hide file tree

Showing 2 changed files with 61 additions and 12 deletions.
diff --git a/src/main/java/teammates/common/datatransfer/attributes/AdminEmailAttributes.java b/src/main/java/teammates/common/datatransfer/attributes/AdminEmailAttributes.java
@@ -89,6 +89,7 @@ public String getJsonString() {
     @Override
     public void sanitizeForSaving() {
         this.subject = SanitizationHelper.sanitizeTextField(subject);
+        this.content = SanitizationHelper.sanitizeForRichText(content);
     }
 
     public String getEmailId() {

diff --git a/src/test/java/teammates/test/cases/action/AdminEmailComposeSaveActionTest.java b/src/test/java/teammates/test/cases/action/AdminEmailComposeSaveActionTest.java
@@ -4,6 +4,8 @@
 
 import teammates.common.datatransfer.attributes.AdminEmailAttributes;
 import teammates.common.util.Const;
+import teammates.common.util.SanitizationHelper;
+import teammates.common.util.StringHelper;
 import teammates.logic.core.AdminEmailsLogic;
 import teammates.test.driver.AssertHelper;
 import teammates.ui.controller.AdminEmailComposeSaveAction;
@@ -40,27 +42,35 @@ public void testExecuteAndPostProcess() throws Exception {
         gaeSimulation.loginAsAdmin(adminUserId);
 
         ______TS("save new email : typical values given : success");
+        String subject = "New Email Subject";
+        String content = "<p>Email Content</p>";
+        String receiver = "test@example.tmt";
         AdminEmailComposeSaveAction action =
                 getAction(
-                        Const.ParamsNames.ADMIN_EMAIL_CONTENT, "<p>Email Content</p>",
-                        Const.ParamsNames.ADMIN_EMAIL_SUBJECT, "Email Subject",
-                        Const.ParamsNames.ADMIN_EMAIL_ADDRESS_RECEIVERS, "test@example.tmt");
+                        Const.ParamsNames.ADMIN_EMAIL_CONTENT, content,
+                        Const.ParamsNames.ADMIN_EMAIL_SUBJECT, subject,
+                        Const.ParamsNames.ADMIN_EMAIL_ADDRESS_RECEIVERS, receiver);
         ShowPageResult pageResult = getShowPageResult(action);
         assertEquals(
                 Const.ViewURIs.ADMIN_EMAIL + "?error=false&user=admin.user", pageResult.getDestinationWithParams());
 
-        String expectedLogSegment = Const.StatusMessages.EMAIL_DRAFT_SAVED + ": <br>Subject: Email Subject";
+        String expectedLogSegment = Const.StatusMessages.EMAIL_DRAFT_SAVED + ": <br>Subject: New Email Subject";
         AssertHelper.assertContains(expectedLogSegment, action.getLogMessage());
 
         assertEquals(Const.StatusMessages.EMAIL_DRAFT_SAVED, pageResult.getStatusMessage());
 
         AdminEmailComposePageData data = (AdminEmailComposePageData) pageResult.data;
         assertNull(data.emailToEdit);
 
+        AdminEmailAttributes savedEmail = adminEmailsLogic.getAdminEmailBySubject(subject);
+        assertNotNull("Email should be saved and should exists.", savedEmail);
+        assertEquals(SanitizationHelper.sanitizeForRichText(content), savedEmail.getContentValue());
+        assertEquals(receiver, StringHelper.join(", ", savedEmail.getAddressReceiver().toArray(new String[0])));
+
         ______TS("save new email : invalid subject : failure");
-        String content = "<p>Email Content</p>";
-        String subject = "!Not starting with alphanumeric";
-        String receiver = "test@example.tmt";
+        content = "<p>Email Content</p>";
+        subject = "!Not starting with alphanumeric";
+        receiver = "test@example.tmt";
         action = getAction(
                 Const.ParamsNames.ADMIN_EMAIL_CONTENT, content,
                 Const.ParamsNames.ADMIN_EMAIL_SUBJECT, subject,
@@ -105,8 +115,8 @@ public void testExecuteAndPostProcess() throws Exception {
         AdminEmailAttributes email = adminEmailsLogic.getAdminEmailBySubject(emailData.getSubject());
         String emailId = email.emailId;
         content = "valid content";
-        subject = "valid subject <b>To check sanitization</b>";
-        receiver = "test@example.tmt";
+        subject = "valid existing email subject";
+        receiver = "test@example.tmt, test2@example.tmt";
         action = getAction(
                 Const.ParamsNames.ADMIN_EMAIL_CONTENT, content,
                 Const.ParamsNames.ADMIN_EMAIL_SUBJECT, subject,
@@ -117,14 +127,47 @@ public void testExecuteAndPostProcess() throws Exception {
                 Const.ViewURIs.ADMIN_EMAIL + "?error=false&user=admin.user", pageResult.getDestinationWithParams());
 
         expectedLogSegment = Const.StatusMessages.EMAIL_DRAFT_SAVED + ": <br>"
-                + "Subject: valid subject &lt;b&gt;To check sanitization&lt;&#x2f;b&gt;";
+                + "Subject: valid existing email subject";
         AssertHelper.assertContains(expectedLogSegment, action.getLogMessage());
 
         assertEquals(Const.StatusMessages.EMAIL_DRAFT_SAVED, pageResult.getStatusMessage());
 
         data = (AdminEmailComposePageData) pageResult.data;
         assertNull(data.emailToEdit);
 
+        savedEmail = adminEmailsLogic.getAdminEmailBySubject(subject);
+        assertNotNull("Email should be saved and should exists.", savedEmail);
+        assertEquals(SanitizationHelper.sanitizeForRichText(content), savedEmail.getContentValue());
+        assertEquals(receiver, StringHelper.join(", ", savedEmail.getAddressReceiver().toArray(new String[0])));
+
+        ______TS("save existing email : values require sanitization : success");
+        emailId = email.emailId;
+        content = "<p onclick=\"alert('hello');\">contents</p> </div> unclosed tags <script>alert(\"hello\");</script>";
+        subject = "valid existing email subject <b>To check sanitization</b>";
+        receiver = "test@example.tmt, test2@example.tmt, test3@example.tmt";
+        action = getAction(
+                Const.ParamsNames.ADMIN_EMAIL_CONTENT, content,
+                Const.ParamsNames.ADMIN_EMAIL_SUBJECT, subject,
+                Const.ParamsNames.ADMIN_EMAIL_ADDRESS_RECEIVERS, receiver,
+                Const.ParamsNames.ADMIN_EMAIL_ID, emailId);
+        pageResult = getShowPageResult(action);
+        assertEquals(
+                Const.ViewURIs.ADMIN_EMAIL + "?error=false&user=admin.user", pageResult.getDestinationWithParams());
+
+        expectedLogSegment = Const.StatusMessages.EMAIL_DRAFT_SAVED + ": <br>"
+                + "Subject: valid existing email subject &lt;b&gt;To check sanitization&lt;&#x2f;b&gt;";
+        AssertHelper.assertContains(expectedLogSegment, action.getLogMessage());
+
+        assertEquals(Const.StatusMessages.EMAIL_DRAFT_SAVED, pageResult.getStatusMessage());
+
+        data = (AdminEmailComposePageData) pageResult.data;
+        assertNull(data.emailToEdit);
+
+        savedEmail = adminEmailsLogic.getAdminEmailBySubject(subject);
+        assertNotNull("Email should be saved and should exists.", savedEmail);
+        assertEquals(SanitizationHelper.sanitizeForRichText(content), savedEmail.getContentValue());
+        assertEquals(receiver, StringHelper.join(", ", savedEmail.getAddressReceiver().toArray(new String[0])));
+
         ______TS("save existing email : invalid subject : failure");
         content = "valid content";
         subject = " ";
@@ -175,7 +218,7 @@ public void testExecuteAndPostProcess() throws Exception {
         ______TS("save non-existing email : typical values given : success");
         emailId = "nonExisitingId";
         content = "valid content";
-        subject = "valid subject <b>To check sanitization</b>";
+        subject = "valid non-existing email subject <b>To check sanitization</b>";
         receiver = "test@example.tmt";
         action = getAction(
                 Const.ParamsNames.ADMIN_EMAIL_CONTENT, content,
@@ -187,14 +230,19 @@ public void testExecuteAndPostProcess() throws Exception {
                 Const.ViewURIs.ADMIN_EMAIL + "?error=false&user=admin.user", pageResult.getDestinationWithParams());
 
         expectedLogSegment = Const.StatusMessages.EMAIL_DRAFT_SAVED + ": <br>"
-                + "Subject: valid subject &lt;b&gt;To check sanitization&lt;&#x2f;b&gt;";
+                + "Subject: valid non-existing email subject &lt;b&gt;To check sanitization&lt;&#x2f;b&gt;";
         AssertHelper.assertContains(expectedLogSegment, action.getLogMessage());
 
         assertEquals(Const.StatusMessages.EMAIL_DRAFT_SAVED, pageResult.getStatusMessage());
 
         data = (AdminEmailComposePageData) pageResult.data;
         assertNull(data.emailToEdit);
 
+        savedEmail = adminEmailsLogic.getAdminEmailBySubject(subject);
+        assertNotNull("Email should be saved and should exists.", savedEmail);
+        assertEquals(SanitizationHelper.sanitizeForRichText(content), savedEmail.getContentValue());
+        assertEquals(receiver, StringHelper.join(", ", savedEmail.getAddressReceiver().toArray(new String[0])));
+
         ______TS("save non-existing email : invalid subject : failure");
         emailId = "nonExisitingId";
         content = "valid content";