[#8779] AccountAttributes: Remove HTML sanitization before saving for googleId, name, institute #9368
Conversation
| @@ -181,9 +181,9 @@ public String getJsonString() { | |||
|
|
|||
| @Override | |||
| public void sanitizeForSaving() { | |||
| this.googleId = SanitizationHelper.sanitizeForHtml(googleId); | |||
There was a problem hiding this comment.
Should use SanitizationHelper.sanitizeGoogleId?
| @@ -181,9 +181,9 @@ public String getJsonString() { | |||
|
|
|||
| @Override | |||
| public void sanitizeForSaving() { | |||
| this.googleId = SanitizationHelper.sanitizeForHtml(googleId); | |||
| this.name = SanitizationHelper.sanitizeForHtml(name); | |||
There was a problem hiding this comment.
SanitizationHelper.sanitizeName?
| @@ -181,9 +181,9 @@ public String getJsonString() { | |||
|
|
|||
| @Override | |||
| public void sanitizeForSaving() { | |||
| this.googleId = SanitizationHelper.sanitizeForHtml(googleId); | |||
| this.name = SanitizationHelper.sanitizeForHtml(name); | |||
| this.institute = SanitizationHelper.sanitizeForHtml(institute); | |||
There was a problem hiding this comment.
SanitizationHelper.sanitizeName maybe?
|
Done, ready for review. I used SanitizationHelper.sanitizeTitle for institute sanitization (based on AccountAttributes's Builder build() method.) |
package.json
Outdated
| @@ -44,7 +44,7 @@ | |||
| }, | |||
| "devDependencies": { | |||
| "@angular-builders/jest": "~7.1.2", | |||
| "@angular-devkit/build-angular": "~0.11.4", | |||
| @@ -95,9 +94,9 @@ public void testSanitizeForSaving() { | |||
| AccountAttributes expectedAccount = createAccountAttributesToSanitize(); | |||
| actualAccount.sanitizeForSaving(); | |||
|
|
|||
| assertEquals(SanitizationHelper.sanitizeForHtml(expectedAccount.googleId), actualAccount.googleId); | |||
There was a problem hiding this comment.
So your tests should also reflect the changes?
e.g. Having some values that need to be sanitised and test whether the actualAccount.sanitizeForSaving(); work or not?
|
Sorry, forgot about the tests. Interestingly, this means that the tests would have passed no matter what, because the Builder in AccountAttributes sanitized the results when building the object. I've changed the email test to add the single quote and added whitespace around all the values since the sanitization code is effectively just trimming the values. Ready for review. |
| @@ -92,6 +92,10 @@ public AccountAttributes build() { | |||
| return accountAttributes; | |||
| } | |||
|
|
|||
| public AccountAttributes buildWithoutSanitizing() { | |||
There was a problem hiding this comment.
I don't think it is a good practice to introduce this method in production code just for testing.
| assertEquals(SanitizationHelper.sanitizeForHtml(expectedAccount.name), actualAccount.name); | ||
| assertEquals(SanitizationHelper.sanitizeForHtml(expectedAccount.institute), actualAccount.institute); | ||
| assertEquals(SanitizationHelper.sanitizeGoogleId(expectedAccount.googleId), actualAccount.googleId); | ||
| assertEquals(SanitizationHelper.sanitizeName(expectedAccount.name), actualAccount.name); |
There was a problem hiding this comment.
Interestingly, this means that the tests would have passed no matter what, because the Builder in AccountAttributes sanitized the results when building the object.
If that is the case. Maybe we can just do assertEquals(expectedAccount.name, actualAccount.name)
There was a problem hiding this comment.
I'm not quite sure I understand how that solves the problem. Since build sanitizes all the fields, both expectedAccount and actualAccount will have the same values. Checking equality would only verify that running sanitizeForSaving on sanitized values doesn't change the values at all.
Perhaps the method createAccountAttributesToSanitize could just modify the values directly? So something like:
private AccountAttributes createAccountAttributesToSanitize() {
AccountAttributes unsanitizedAttributes = AccountAttributes.builder().build();
unsanitizedAttributes.googleId = " google'Id@gmail.com\t";
unsanitizedAttributes.name = "'name'\n\n";
unsanitizedAttributes.institute = "\\\t\n/";
unsanitizedAttributes.email = "&<email>&\n";
unsanitizedAttributes.isInstructor = true;
return unsanitizedAttributes;
}
|
Ok, ready for review. |
| unsanitizedAttributes.googleId = " google'Id@gmail.com\t"; | ||
| unsanitizedAttributes.name = "'name'\n\n"; | ||
| unsanitizedAttributes.institute = "\\\t\n/"; | ||
| unsanitizedAttributes.email = "&<email>&\n"; |
There was a problem hiding this comment.
I think we should change this to a valid email address.
|
|
||
| AccountAttributes unsanitizedAttributes = AccountAttributes.builder().build(); | ||
| unsanitizedAttributes.googleId = " google'Id@gmail.com\t"; | ||
| unsanitizedAttributes.name = "'name'\n\n"; |
There was a problem hiding this comment.
There should be some extra space inside name in order to make sure sanitizeName is doing the job? 'name'\n\n?
| AccountAttributes unsanitizedAttributes = AccountAttributes.builder().build(); | ||
| unsanitizedAttributes.googleId = " google'Id@gmail.com\t"; | ||
| unsanitizedAttributes.name = "'name'\n\n"; | ||
| unsanitizedAttributes.institute = "\\\t\n/"; |
|
Ok, test data modified, whitespace added to the middle of the strings. Ready for review. |
xpdavid
added
s.FinalReview
xpdavid
added
s.ToMerge
Fixes #8779
Outline of Solution
Basically just removed the sanitization in AccountAttributes and updated tests. I have tested with single quotes in the email (as per #8774) and it works.
I'm not sure if I need to write a migration script, let me know if I need to. Based on my checks, if there was something to be migrated, it wouldn't have made it to the database anyway because the application would have just rejected it.
Ready for review.