From 03e4acdb374ce5067ce630b40f95743ca3e1ef21 Mon Sep 17 00:00:00 2001
From: Hannah Wolfe <github.erisds@gmail.com>
Date: Fri, 14 Oct 2016 15:31:20 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=90=9B=20Subscribers:=20validate=20urls?=
 =?UTF-8?q?=20(#7540)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

no issue

- Ensure URLs submitted via form are sanitized so that we only accept real urls
- Add some tests for the isEmptyOrURL validator
---
 core/server/apps/subscribers/lib/router.js |  9 ++++--
 core/test/unit/validation_spec.js          | 33 ++++++++++++++++++++++
 2 files changed, 40 insertions(+), 2 deletions(-)
 create mode 100644 core/test/unit/validation_spec.js

diff --git a/core/server/apps/subscribers/lib/router.js b/core/server/apps/subscribers/lib/router.js
index de783cf8f4..ded8281865 100644
--- a/core/server/apps/subscribers/lib/router.js
+++ b/core/server/apps/subscribers/lib/router.js
@@ -7,6 +7,7 @@ var path                = require('path'),
     // Dirty requires
     api                 = require('../../../api'),
     errors              = require('../../../errors'),
+    validator           = require('../../../data/validation').validator,
     templates           = require('../../../controllers/frontend/templates'),
     postlookup          = require('../../../controllers/frontend/post-lookup'),
     setResponseContext  = require('../../../controllers/frontend/context');
@@ -45,9 +46,13 @@ function honeyPot(req, res, next) {
     next();
 }
 
+function santizeUrl(url) {
+    return validator.isEmptyOrURL(url) ? url : '';
+}
+
 function handleSource(req, res, next) {
-    req.body.subscribed_url = req.body.location;
-    req.body.subscribed_referrer = req.body.referrer;
+    req.body.subscribed_url = santizeUrl(req.body.location);
+    req.body.subscribed_referrer = santizeUrl(req.body.referrer);
     delete req.body.location;
     delete req.body.referrer;
 
diff --git a/core/test/unit/validation_spec.js b/core/test/unit/validation_spec.js
new file mode 100644
index 0000000000..049b08ee1b
--- /dev/null
+++ b/core/test/unit/validation_spec.js
@@ -0,0 +1,33 @@
+var should  = require('should'),
+
+    validation = require('../../server/data/validation');
+
+// Validate our customisations
+describe('Validation', function () {
+    it('should export our required functions', function () {
+        should.exist(validation);
+
+        validation.should.have.properties(
+            ['validate', 'validator', 'validateSchema', 'validateSettings', 'validateActiveTheme']
+        );
+
+        validation.validate.should.be.a.Function();
+        validation.validateSchema.should.be.a.Function();
+        validation.validateSettings.should.be.a.Function();
+        validation.validateActiveTheme.should.be.a.Function();
+
+        validation.validator.should.have.properties(['empty', 'notContains', 'isTimezone', 'isEmptyOrURL', 'isSlug']);
+    });
+
+    describe('Validator customisations', function () {
+        var validator = validation.validator;
+
+        it('isEmptyOrUrl filters javascript urls', function () {
+            /*jshint scripturl:true */
+            validator.isEmptyOrURL('javascript:alert(0)').should.be.false();
+            /*jshint scripturl:false */
+            validator.isEmptyOrURL('').should.be.true();
+            validator.isEmptyOrURL('http://localhost:2368').should.be.true();
+        });
+    });
+});