mozilla / blurts-server / #12874

#12874

push

circleci

Vinnl 
Don't pass unsanitised user input into HTML

It should now no longer be possible to pass arbitrary HTML (e.g.
including malicious JS, though our CSP blocks that) into the query
parameters and have that show up on the unsubscribe page.
Additionally, the query parameters get validated, and only the
relevant parameters are sent to the back-end.

282 of 1473 branches covered (19.14%)

Branch coverage included in aggregate %.

12 of 12 new or added lines in 1 file covered. (100.0%)

959 of 4003 relevant lines covered (23.96%)

1.99 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

0.0
/src/views/partials/unsubscribe.js
1 
/* This Source Code Form is subject to the terms of the Mozilla Public
2 
 * License, v. 2.0. If a copy of the MPL was not distributed with this
3 
 * file, You can obtain one at http://mozilla.org/MPL/2.0/. */
4 









5



import { getMessage } from '../../utils/fluent.js'










6












7



const unsubscribe = data => `




×







8



  <section class="unsubscribe">










9



    <h1>${getMessage('unsub-headline')}</h1>










10



    <p>${getMessage('unsub-blurb')}</p>










11



    <button










12



      class='primary js-unsubscribe-button'










13



      data-csrf-token='${data.csrfToken}'










14



    >










15



      ${getMessage('unsub-button')}










16



    </button>










17



  </section>










18



`










19












20



const unsubscribeMonthly = () => `




×







21



  <section class="unsubscribe">










22



    <h1>${getMessage('unsub-headline')}</h1>










23



    <p>${getMessage('changes-saved')}</p>










24



  </section>










25



`










26












27



export {










28



  unsubscribe,










29



  unsubscribeMonthly










30



}
























    

  • 

    •