From 667b65b9ccb5c68c2f251be12d6aa3d06cdcb0ba Mon Sep 17 00:00:00 2001
From: Glandos <bugs-github@antipoul.fr>
Date: Sat, 16 Jul 2022 23:26:51 +0200
Subject: [PATCH] Surround email in case of error (#1044)

fix https://huntr.dev/bounties/441cc44c-6837-46ec-9b30-52455aa71a2f/
---
 ihatemoney/forms.py             |  3 ++-
 ihatemoney/tests/budget_test.py | 19 ++++++++++++++++++-
 2 files changed, 20 insertions(+), 2 deletions(-)

diff --git a/ihatemoney/forms.py b/ihatemoney/forms.py
index 315a2ab7b..af44ead7d 100644
--- a/ihatemoney/forms.py
+++ b/ihatemoney/forms.py
@@ -41,6 +41,7 @@
 from ihatemoney.currency_convertor import CurrencyConverter
 from ihatemoney.models import Bill, LoggingMode, Person, Project
 from ihatemoney.utils import (
+    em_surround,
     eval_arithmetic_expression,
     render_localized_currency,
     slugify,
@@ -439,7 +440,7 @@ def validate_emails(self, field):
                 email_validator.validate_email(email)
             except email_validator.EmailNotValidError:
                 raise ValidationError(
-                    _("The email %(email)s is not valid", email=email)
+                    _("The email %(email)s is not valid", email=em_surround(email))
                 )
 
 
diff --git a/ihatemoney/tests/budget_test.py b/ihatemoney/tests/budget_test.py
index b4fab7c45..261a958b4 100644
--- a/ihatemoney/tests/budget_test.py
+++ b/ihatemoney/tests/budget_test.py
@@ -58,7 +58,24 @@ def test_notifications(self):
         with self.app.mail.record_messages() as outbox:
             response = self.client.post("/raclette/invite", data={"emails": "toto"})
             self.assertEqual(len(outbox), 0)  # no message sent
-            self.assertIn("The email toto is not valid", response.data.decode("utf-8"))
+            self.assertIn(
+                'The email <em class="font-italic">toto</em> is not valid',
+                response.data.decode("utf-8"),
+            )
+
+        # mail address checking for escaping
+        with self.app.mail.record_messages() as outbox:
+            response = self.client.post(
+                "/raclette/invite",
+                data={"emails": "<img src=x onerror=alert(document.domain)>"},
+            )
+            self.assertEqual(len(outbox), 0)  # no message sent
+            self.assertIn(
+                'The email <em class="font-italic">'
+                "&lt;img src=x onerror=alert(document.domain)&gt;"
+                "</em> is not valid",
+                response.data.decode("utf-8"),
+            )
 
         # mixing good and wrong addresses shouldn't send any messages
         with self.app.mail.record_messages() as outbox: