🐛 Subscribers: validate urls (#7540)

no issue - Ensure URLs submitted via form are sanitized so that we only accept real urls - Add some tests for the isEmptyOrURL validator
TryGhost · Oct 14, 2016 · 03e4acd · 03e4acd
1 parent ea2c3a0
commit 03e4acd
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 2 deletions.
diff --git a/core/server/apps/subscribers/lib/router.js b/core/server/apps/subscribers/lib/router.js
@@ -7,6 +7,7 @@ var path                = require('path'),
     // Dirty requires
     api                 = require('../../../api'),
     errors              = require('../../../errors'),
+    validator           = require('../../../data/validation').validator,
     templates           = require('../../../controllers/frontend/templates'),
     postlookup          = require('../../../controllers/frontend/post-lookup'),
     setResponseContext  = require('../../../controllers/frontend/context');
@@ -45,9 +46,13 @@ function honeyPot(req, res, next) {
     next();
 }
 
+function santizeUrl(url) {
+    return validator.isEmptyOrURL(url) ? url : '';
+}
+
 function handleSource(req, res, next) {
-    req.body.subscribed_url = req.body.location;
-    req.body.subscribed_referrer = req.body.referrer;
+    req.body.subscribed_url = santizeUrl(req.body.location);
+    req.body.subscribed_referrer = santizeUrl(req.body.referrer);
     delete req.body.location;
     delete req.body.referrer;
 

diff --git a/core/test/unit/validation_spec.js b/core/test/unit/validation_spec.js
@@ -0,0 +1,33 @@
+var should  = require('should'),
+
+    validation = require('../../server/data/validation');
+
+// Validate our customisations
+describe('Validation', function () {
+    it('should export our required functions', function () {
+        should.exist(validation);
+
+        validation.should.have.properties(
+            ['validate', 'validator', 'validateSchema', 'validateSettings', 'validateActiveTheme']
+        );
+
+        validation.validate.should.be.a.Function();
+        validation.validateSchema.should.be.a.Function();
+        validation.validateSettings.should.be.a.Function();
+        validation.validateActiveTheme.should.be.a.Function();
+
+        validation.validator.should.have.properties(['empty', 'notContains', 'isTimezone', 'isEmptyOrURL', 'isSlug']);
+    });
+
+    describe('Validator customisations', function () {
+        var validator = validation.validator;
+
+        it('isEmptyOrUrl filters javascript urls', function () {
+            /*jshint scripturl:true */
+            validator.isEmptyOrURL('javascript:alert(0)').should.be.false();
+            /*jshint scripturl:false */
+            validator.isEmptyOrURL('').should.be.true();
+            validator.isEmptyOrURL('http://localhost:2368').should.be.true();
+        });
+    });
+});