Permalink
Browse files

Fix bug 1116754: Sanitize AJAX returned form errors.

  • Loading branch information...
1 parent a4e0209 commit 55d8a0ebfab931f96903f2c3f7b7d21aa16ffe47 @pmac pmac committed Jan 6, 2015
Showing with 28 additions and 2 deletions.
  1. +22 −0 bedrock/newsletter/tests/test_views.py
  2. +6 −2 bedrock/newsletter/views.py
@@ -551,6 +551,28 @@ def test_returns_ajax_errors(self, basket_mock):
self.assertFalse(basket_mock.called)
@patch('bedrock.newsletter.views.basket')
+ def test_returns_sanitized_ajax_errors(self, basket_mock):
+ """Error messages should be HTML escaped.
+
+ Bug 1116754
+ """
+ data = {
+ 'newsletters': 'flintstones',
+ 'email': 'fred@example.com',
+ 'fmt': 'H',
+ 'privacy': True,
+ 'country': '<svg/onload=alert("NEFARIOUSNESS")>',
+ }
+ resp = self.ajax_request(data)
+ resp_data = json.loads(resp.content)
+ self.assertFalse(resp_data['success'])
+ self.assertEqual(len(resp_data['errors']), 1)
+ self.assertNotIn(data['country'], resp_data['errors'][0])
+ self.assertIn('NEFARIOUSNESS', resp_data['errors'][0])
+ self.assertIn('&lt;svg', resp_data['errors'][0])
+ self.assertFalse(basket_mock.called)
+
+ @patch('bedrock.newsletter.views.basket')
def test_returns_ajax_success(self, basket_mock):
"""Good post should return success JSON"""
data = {
@@ -2,10 +2,11 @@
# License, v. 2.0. If a copy of the MPL was not distributed with this
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
-from collections import defaultdict
import json
-from operator import itemgetter
import re
+from cgi import escape
+from collections import defaultdict
+from operator import itemgetter
from django.contrib import messages
from django.forms.formsets import formset_factory
@@ -461,6 +462,9 @@ def newsletter_subscribe(request):
if fieldname in form.errors:
errors.extend(form.errors[fieldname])
+ # form error messages may contain unsanitized user input
+ errors = map(escape, errors)
+
if request.is_ajax():
# return JSON
if errors:

0 comments on commit 55d8a0e

Please sign in to comment.