fix(email): sanitize user message

This commit is contained in:
Colin Darie 2023-12-14 12:51:56 +01:00
parent adb161466e
commit fd7839773b
5 changed files with 18 additions and 5 deletions

View file

@ -10,8 +10,7 @@
- if @invite.message.present? - if @invite.message.present?
%blockquote %blockquote
%p = simple_format(@invite.message)
= @invite.message
%p %p
Cette plateforme permet à ses utilisateurs détablir des dossiers 100 % en ligne et de dialoguer avec plusieurs interlocuteurs privilégiés avant dinstruire un dépot. Cette plateforme permet à ses utilisateurs détablir des dossiers 100 % en ligne et de dialoguer avec plusieurs interlocuteurs privilégiés avant dinstruire un dépot.

View file

@ -8,8 +8,7 @@
- if @invite.message.present? - if @invite.message.present?
%blockquote %blockquote
%p = simple_format(@invite.message)
= @invite.message
%p %p
Pour le consulter, merci de suivre ce lien : Pour le consulter, merci de suivre ce lien :

View file

@ -9,7 +9,7 @@
<!--<![endif]--> <!--<![endif]-->
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0"> <meta name="viewport" content="width=device-width, initial-scale=1.0">
<style type="text/css"> #outlook a { padding: 0; } .ReadMsgBody { width: 100%; } .ExternalClass { width: 100%; } .ExternalClass * { line-height:100%; } body { margin: 0; padding: 0; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; } table, td { border-collapse:collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; } img { border: 0; height: auto; line-height: 100%; outline: none; text-decoration: none; -ms-interpolation-mode: bicubic; } p { display: block; margin: 13px 0; } blockquote { margin: 0; } blockquote p { padding: 15px; background: #eee; border-radius: 5px; } blockquote p::before { content: '\201C'; } blockquote p::after { content: '\201D'; }</style> <style type="text/css"> #outlook a { padding: 0; } .ReadMsgBody { width: 100%; } .ExternalClass { width: 100%; } .ExternalClass * { line-height:100%; } body { margin: 0; padding: 0; -webkit-text-size-adjust: 100%; -ms-text-size-adjust: 100%; } table, td { border-collapse:collapse; mso-table-lspace: 0pt; mso-table-rspace: 0pt; } img { border: 0; height: auto; line-height: 100%; outline: none; text-decoration: none; -ms-interpolation-mode: bicubic; } p { display: block; margin: 13px 0; } blockquote { margin: 0; background: #eee; } blockquote p { padding: 10px; border-radius: 5px; }</style>
<!--[if !mso]> <!--[if !mso]>
<!--> <!-->
<style type="text/css"> @media only screen and (max-width:480px) { @-ms-viewport { width:320px; } @viewport { width:320px; } }</style> <style type="text/css"> @media only screen and (max-width:480px) { @-ms-viewport { width:320px; } @viewport { width:320px; } }</style>

View file

@ -3,6 +3,7 @@ FactoryBot.define do
email { 'plop@octo.com' } email { 'plop@octo.com' }
user { nil } user { nil }
association :dossier association :dossier
message { "un message d'invitation" }
after(:build) do |invite, _evaluator| after(:build) do |invite, _evaluator|
if invite.user.present? if invite.user.present?

View file

@ -44,6 +44,13 @@ RSpec.describe InviteMailer, type: :mailer do
expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name) expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name)
end end
end end
context 'message contains malicious link' do
let(:invite) { create(:invite, user: create(:user), message: "Coucou\n<a href=\"https://malicious.site\">trusted anchor</a>") }
it 'sanitize message' do
expect(subject.body.decoded).to match(%r{<p>Coucou\s+<br />trusted anchor</p>})
end
end
end end
describe '.invite_guest' do describe '.invite_guest' do
@ -88,5 +95,12 @@ RSpec.describe InviteMailer, type: :mailer do
expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name) expect { invite }.to have_enqueued_job.on_queue(Rails.application.config.action_mailer.deliver_later_queue_name)
end end
end end
context 'message contains malicious link' do
let(:invite) { create(:invite, user: create(:user), message: "Coucou\n<a href=\"https://malicious.site\">trusted anchor</a>") }
it 'sanitize message' do
expect(subject.body.decoded).to match(%r{<p>Coucou\s+<br />trusted anchor</p>})
end
end
end end
end end