Skip to content

Commit

Permalink
Fix bug 1116754: Sanitize AJAX returned form errors.
Browse files Browse the repository at this point in the history
  • Loading branch information
pmac committed Jan 6, 2015
1 parent a4e0209 commit 55d8a0e
Show file tree
Hide file tree
Showing 2 changed files with 28 additions and 2 deletions.
22 changes: 22 additions & 0 deletions bedrock/newsletter/tests/test_views.py
Expand Up @@ -550,6 +550,28 @@ def test_returns_ajax_errors(self, basket_mock):
self.assertIn('privacy', resp_data['errors'][0])
self.assertFalse(basket_mock.called)

@patch('bedrock.newsletter.views.basket')
def test_returns_sanitized_ajax_errors(self, basket_mock):
"""Error messages should be HTML escaped.
Bug 1116754
"""
data = {
'newsletters': 'flintstones',
'email': 'fred@example.com',
'fmt': 'H',
'privacy': True,
'country': '<svg/onload=alert("NEFARIOUSNESS")>',
}
resp = self.ajax_request(data)
resp_data = json.loads(resp.content)
self.assertFalse(resp_data['success'])
self.assertEqual(len(resp_data['errors']), 1)
self.assertNotIn(data['country'], resp_data['errors'][0])
self.assertIn('NEFARIOUSNESS', resp_data['errors'][0])
self.assertIn('&lt;svg', resp_data['errors'][0])
self.assertFalse(basket_mock.called)

@patch('bedrock.newsletter.views.basket')
def test_returns_ajax_success(self, basket_mock):
"""Good post should return success JSON"""
Expand Down
8 changes: 6 additions & 2 deletions bedrock/newsletter/views.py
Expand Up @@ -2,10 +2,11 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.

from collections import defaultdict
import json
from operator import itemgetter
import re
from cgi import escape
from collections import defaultdict
from operator import itemgetter

from django.contrib import messages
from django.forms.formsets import formset_factory
Expand Down Expand Up @@ -461,6 +462,9 @@ def newsletter_subscribe(request):
if fieldname in form.errors:
errors.extend(form.errors[fieldname])

# form error messages may contain unsanitized user input
errors = map(escape, errors)

if request.is_ajax():
# return JSON
if errors:
Expand Down

0 comments on commit 55d8a0e

Please sign in to comment.