Skip to content

Commit 55d8a0e

Browse files
pmacpmac
committed
Fix bug 1116754: Sanitize AJAX returned form errors.
1 parent a4e0209 commit 55d8a0e

File tree

2 files changed

+28
-2
lines changed

2 files changed

+28
-2
lines changed

bedrock/newsletter/tests/test_views.py

Lines changed: 22 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -550,6 +550,28 @@ def test_returns_ajax_errors(self, basket_mock):
550550
self.assertIn('privacy', resp_data['errors'][0])
551551
self.assertFalse(basket_mock.called)
552552

553+
@patch('bedrock.newsletter.views.basket')
554+
def test_returns_sanitized_ajax_errors(self, basket_mock):
555+
"""Error messages should be HTML escaped.
556+
557+
Bug 1116754
558+
"""
559+
data = {
560+
'newsletters': 'flintstones',
561+
'email': 'fred@example.com',
562+
'fmt': 'H',
563+
'privacy': True,
564+
'country': '<svg/onload=alert("NEFARIOUSNESS")>',
565+
}
566+
resp = self.ajax_request(data)
567+
resp_data = json.loads(resp.content)
568+
self.assertFalse(resp_data['success'])
569+
self.assertEqual(len(resp_data['errors']), 1)
570+
self.assertNotIn(data['country'], resp_data['errors'][0])
571+
self.assertIn('NEFARIOUSNESS', resp_data['errors'][0])
572+
self.assertIn('&lt;svg', resp_data['errors'][0])
573+
self.assertFalse(basket_mock.called)
574+
553575
@patch('bedrock.newsletter.views.basket')
554576
def test_returns_ajax_success(self, basket_mock):
555577
"""Good post should return success JSON"""

bedrock/newsletter/views.py

Lines changed: 6 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,11 @@
22
# License, v. 2.0. If a copy of the MPL was not distributed with this
33
# file, You can obtain one at http://mozilla.org/MPL/2.0/.
44

5-
from collections import defaultdict
65
import json
7-
from operator import itemgetter
86
import re
7+
from cgi import escape
8+
from collections import defaultdict
9+
from operator import itemgetter
910

1011
from django.contrib import messages
1112
from django.forms.formsets import formset_factory
@@ -461,6 +462,9 @@ def newsletter_subscribe(request):
461462
if fieldname in form.errors:
462463
errors.extend(form.errors[fieldname])
463464

465+
# form error messages may contain unsanitized user input
466+
errors = map(escape, errors)
467+
464468
if request.is_ajax():
465469
# return JSON
466470
if errors:

0 commit comments

Comments
 (0)