#12870

pending completion

Build # #12870

Build Type

push

circleci

Committed by

Vinnl

Commit Message

Don't pass unsanitised user input into HTML

It should now no longer be possible to pass arbitrary HTML (e.g.
including malicious JS) into the query parameters and have that
show up on the unsubscribe page. Additionally, the query parameters
get validated, and only the relevant parameters are sent to the
back-end.

Run Details

282 of 1473 branches covered (19.14%)

Branch coverage included in aggregate %.

12 of 12 new or added lines in 1 file covered. (100.0%)

959 of 4003 relevant lines covered (23.96%)

1.99 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0

/src/controllers/unsubscribe.js

/* This Source Code Form is subject to the terms of the Mozilla Public
 * License, v. 2.0. If a copy of the MPL was not distributed with this
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */

import { guestLayout } from '../views/guestLayout.js'
import {
  unsubscribe,
  unsubscribeMonthly
} from '../views/partials/unsubscribe.js'
import { generateToken } from '../utils/csrf.js'
import { unsubscribeFromMonthlyReport } from '../utils/email.js'

function unsubscribePage (req, res) {
  const data = {
    csrfToken: generateToken(res),
    partial: unsubscribe,
    queryParams: req.query
  }

  res.send(guestLayout(data))
}

async function unsubscribeMonthlyPage (req, res) {
  try {
    await unsubscribeFromMonthlyReport(req, res)
  } catch (error) {
    console.log(error)
    return res.redirect('/')
  }

  const data = {
    csrfToken: generateToken(res),
    partial: unsubscribeMonthly
  }

  res.send(guestLayout(data))
}

export {
  unsubscribePage,
  unsubscribeMonthlyPage
}

1	/* This Source Code Form is subject to the terms of the Mozilla Public
2	* License, v. 2.0. If a copy of the MPL was not distributed with this
3	* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4
5	import { guestLayout } from '../views/guestLayout.js'
6	import {
7	unsubscribe,
8	unsubscribeMonthly
9	} from '../views/partials/unsubscribe.js'
10	import { generateToken } from '../utils/csrf.js'
11	import { unsubscribeFromMonthlyReport } from '../utils/email.js'
12
13	function unsubscribePage (req, res) {
14	const data = {	×
15	csrfToken: generateToken(res),
16	partial: unsubscribe,
17	queryParams: req.query
18	}
19
20	res.send(guestLayout(data))	×
21	}
22
23	async function unsubscribeMonthlyPage (req, res) {
24	try {	×
25	await unsubscribeFromMonthlyReport(req, res)	×
26	} catch (error) {
27	console.log(error)	×
28	return res.redirect('/')	×
29	}
30
31	const data = {	×
32	csrfToken: generateToken(res),
33	partial: unsubscribeMonthly
34	}
35
36	res.send(guestLayout(data))	×
37	}
38
39	export {
40	unsubscribePage,
41	unsubscribeMonthlyPage
42	}

mozilla / blurts-server / #12870

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source File
Press 'n' to go to next uncovered line, 'b' for previous