fix: disable the Invite Users button until at least one email address…

… has been entered (#10136) * validate invite users button values * update validateEmail regex to address the concern of potential denial of service * handle event with jquery * fix sonarcloud integrity issue
openfoodfacts · Apr 19, 2024 · 88c92f7 · 88c92f7
1 parent 5a2fcf3
commit 88c92f7
Showing 1 changed file with 19 additions and 2 deletions.
diff --git a/templates/web/pages/org_form/org_form.tt.html b/templates/web/pages/org_form/org_form.tt.html
@@ -68,13 +68,13 @@ <h2>[% lang("organization_members") %]</h2>
 	</div>
 	[% END %]
 
-		<form method="post" action="/cgi/org.pl" enctype="multipart/form-data" style="margin-bottom: 20px;">
+	<form method="post" action="/cgi/org.pl" enctype="multipart/form-data" style="margin-bottom: 20px;">
 		<p>[% lang('enter_email_addresses_of_users') %]</p>
 		<textarea id="email_list" name="email_list" style="height:100px;width:50vw"></textarea>
 		<input type="hidden" name="action" value="process" />
 		<input type="hidden" name="type" value="add_users" />
 		<input type="hidden" name="orgid" value="[% orgid %]" />
-		<input type="submit" name=".submit" class="button" value= "[% edq(lang('invite_user')) %]"/>
+		<input type="submit" id="invite_button" name=".submit" class="button" value= "[% edq(lang('invite_user')) %]" disabled />
 	</form>
 
     <!-- Start form -->
@@ -177,4 +177,21 @@ <h3>[% lang('users_added_successfully') %]</h3>
     <p>&rarr; <a href="[% profile_url %]">[% profile_name %]</a></p>
 [% END %]
 
+<script src="[% static_subdomain %]/js/dist/jquery.js" data-base-layout="true"></script>
+<script>
+    \$(document).ready(function() {
+        \$('#email_list').on('input', function(event) {
+            var emailList = \$(event.target).val().split(',').map(function(email) {
+                return email.trim();
+            });
+            var allValid = emailList.every(validateEmail);
+            \$('#invite_button').prop('disabled', !allValid || emailList.length === 0 || emailList[0] === '');
+        });
+    });
+
+    function validateEmail(email) {
+        return /^[a-zA-Z0-9._%+-]+@[a-zA-Z0-9.-]+\.[a-zA-Z]{2,}$/.test(email.trim());
+    }
+</script>
+
 <!-- end templates/[% template.name %] -->