Skip to content
Browse files
Fix bug 1116754: Sanitize AJAX returned form errors.
  • Loading branch information
pmac committed Jan 6, 2015
1 parent a4e0209 commit 55d8a0ebfab931f96903f2c3f7b7d21aa16ffe47
Showing with 28 additions and 2 deletions.
  1. +22 −0 bedrock/newsletter/tests/
  2. +6 −2 bedrock/newsletter/
@@ -550,6 +550,28 @@ def test_returns_ajax_errors(self, basket_mock):
self.assertIn('privacy', resp_data['errors'][0])

def test_returns_sanitized_ajax_errors(self, basket_mock):
"""Error messages should be HTML escaped.
Bug 1116754
data = {
'newsletters': 'flintstones',
'email': '',
'fmt': 'H',
'privacy': True,
'country': '<svg/onload=alert("NEFARIOUSNESS")>',
resp = self.ajax_request(data)
resp_data = json.loads(resp.content)
self.assertEqual(len(resp_data['errors']), 1)
self.assertNotIn(data['country'], resp_data['errors'][0])
self.assertIn('NEFARIOUSNESS', resp_data['errors'][0])
self.assertIn('&lt;svg', resp_data['errors'][0])

def test_returns_ajax_success(self, basket_mock):
"""Good post should return success JSON"""
@@ -2,10 +2,11 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at

from collections import defaultdict
import json
from operator import itemgetter
import re
from cgi import escape
from collections import defaultdict
from operator import itemgetter

from django.contrib import messages
from django.forms.formsets import formset_factory
@@ -461,6 +462,9 @@ def newsletter_subscribe(request):
if fieldname in form.errors:

# form error messages may contain unsanitized user input
errors = map(escape, errors)

if request.is_ajax():
# return JSON
if errors:

0 comments on commit 55d8a0e

Please sign in to comment.