fix(email): sanitize user message
This commit is contained in:
parent
adb161466e
commit
fd7839773b
5 changed files with 18 additions and 5 deletions
|
@ -10,8 +10,7 @@
|
||||||
|
|
||||||
- if @invite.message.present?
|
- if @invite.message.present?
|
||||||
%blockquote
|
%blockquote
|
||||||
%p
|
= simple_format(@invite.message)
|
||||||
= @invite.message
|
|
||||||
|
|
||||||
%p
|
%p
|
||||||
Cette plateforme permet à ses utilisateurs d’établir des dossiers 100 % en ligne et de dialoguer avec plusieurs interlocuteurs privilégiés avant d’instruire un dépot.
|
Cette plateforme permet à ses utilisateurs d’établir des dossiers 100 % en ligne et de dialoguer avec plusieurs interlocuteurs privilégiés avant d’instruire un dépot.
|
||||||
|
|
|
@ -8,8 +8,7 @@
|
||||||
|
|
||||||
- if @invite.message.present?
|
- if @invite.message.present?
|
||||||
%blockquote
|
%blockquote
|
||||||
%p
|
= simple_format(@invite.message)
|
||||||
= @invite.message
|
|
||||||
|
|
||||||
%p
|
%p
|
||||||
Pour le consulter, merci de suivre ce lien :
|
Pour le consulter, merci de suivre ce lien :
|
||||||
|
|
|
@ -9,7 +9,7 @@
|
||||||
<!--<![endif]-->
|
<!--<![endif]-->
|
||||||
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
|
||||||
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
<meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||||||
<style type="text/css"> #outlook a { padding: 0; } .ReadMsgBody { width: 100%; } .ExternalClass { width: 100%; } .ExternalClass * { line-height:100%; } body { margin: 0; padding: 0; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; } table, td { border-collapse:collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; } img { border: 0; height: auto; line-height: 100%; outline: none; text-decoration: none; -ms-interpolation-mode: bicubic; } p { display: block; margin: 13px 0; } blockquote { margin: 0; } blockquote p { padding: 15px; background: #eee; border-radius: 5px; } blockquote p::before { content: '\201C'; } blockquote p::after { content: '\201D'; }</style>
|
<style type="text/css"> #outlook a { padding: 0; } .ReadMsgBody { width: 100%; } .ExternalClass { width: 100%; } .ExternalClass * { line-height:100%; } body { margin: 0; padding: 0; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; } table, td { border-collapse:collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; } img { border: 0; height: auto; line-height: 100%; outline: none; text-decoration: none; -ms-interpolation-mode: bicubic; } p { display: block; margin: 13px 0; } blockquote { margin: 0; background: #eee; } blockquote p { padding: 10px; border-radius: 5px; }</style>
|
||||||
<!--[if !mso]>
|
<!--[if !mso]>
|
||||||
<!-->
|
<!-->
|
||||||
<style type="text/css"> @media only screen and (max-width:480px) { @-ms-viewport { width:320px; } @viewport { width:320px; } }</style>
|
<style type="text/css"> @media only screen and (max-width:480px) { @-ms-viewport { width:320px; } @viewport { width:320px; } }</style>
|
||||||
|
|
|
@ -3,6 +3,7 @@ FactoryBot.define do
|
||||||
email { 'plop@octo.com' }
|
email { 'plop@octo.com' }
|
||||||
user { nil }
|
user { nil }
|
||||||
association :dossier
|
association :dossier
|
||||||
|
message { "un message d'invitation" }
|
||||||
|
|
||||||
after(:build) do |invite, _evaluator|
|
after(:build) do |invite, _evaluator|
|
||||||
if invite.user.present?
|
if invite.user.present?
|
||||||
|
|
|
@ -44,6 +44,13 @@ RSpec.describe InviteMailer, type: :mailer do
|
||||||
expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name)
|
expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'message contains malicious link' do
|
||||||
|
let(:invite) { create(:invite, user: create(:user), message: "Coucou\n<a href=\"https://malicious.site\">trusted anchor</a>") }
|
||||||
|
it 'sanitize message' do
|
||||||
|
expect(subject.body.decoded).to match(%r{<p>Coucou\s+<br />trusted anchor</p>})
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
describe '.invite_guest' do
|
describe '.invite_guest' do
|
||||||
|
@ -88,5 +95,12 @@ RSpec.describe InviteMailer, type: :mailer do
|
||||||
expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name)
|
expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
context 'message contains malicious link' do
|
||||||
|
let(:invite) { create(:invite, user: create(:user), message: "Coucou\n<a href=\"https://malicious.site\">trusted anchor</a>") }
|
||||||
|
it 'sanitize message' do
|
||||||
|
expect(subject.body.decoded).to match(%r{<p>Coucou\s+<br />trusted anchor</p>})
|
||||||
|
end
|
||||||
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in a new issue