Surround email in case of error (#1044)

fix https://huntr.dev/bounties/441cc44c-6837-46ec-9b30-52455aa71a2f/
spiral-project · Jul 16, 2022 · 667b65b · 667b65b
1 parent e9b7426
commit 667b65b
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 2 deletions.
diff --git a/ihatemoney/forms.py b/ihatemoney/forms.py
@@ -41,6 +41,7 @@
 from ihatemoney.currency_convertor import CurrencyConverter
 from ihatemoney.models import Bill, LoggingMode, Person, Project
 from ihatemoney.utils import (
+    em_surround,
     eval_arithmetic_expression,
     render_localized_currency,
     slugify,
@@ -439,7 +440,7 @@ def validate_emails(self, field):
                 email_validator.validate_email(email)
             except email_validator.EmailNotValidError:
                 raise ValidationError(
-                    _("The email %(email)s is not valid", email=email)
+                    _("The email %(email)s is not valid", email=em_surround(email))
                 )
 
 

diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py
@@ -58,7 +58,24 @@ def test_notifications(self):
         with self.app.mail.record_messages() as outbox:
             response = self.client.post("/raclette/invite", data={"emails": "toto"})
             self.assertEqual(len(outbox), 0)  # no message sent
-            self.assertIn("The email toto is not valid", response.data.decode("utf-8"))
+            self.assertIn(
+                'The email <em class="font-italic">toto</em> is not valid',
+                response.data.decode("utf-8"),
+            )
+
+        # mail address checking for escaping
+        with self.app.mail.record_messages() as outbox:
+            response = self.client.post(
+                "/raclette/invite",
+                data={"emails": "<img src=x onerror=alert(document.domain)>"},
+            )
+            self.assertEqual(len(outbox), 0)  # no message sent
+            self.assertIn(
+                'The email <em class="font-italic">'
+                "&lt;img src=x onerror=alert(document.domain)&gt;"
+                "</em> is not valid",
+                response.data.decode("utf-8"),
+            )
 
         # mixing good and wrong addresses shouldn't send any messages
         with self.app.mail.record_messages() as outbox: