add escape and strip tags

gip-inclusion · Sep 18, 2024 · 75aaa42 · 75aaa42
1 parent fc51ce7
commit 75aaa42
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 8 deletions.
diff --git a/lemarche/utils/apis/api_brevo.py b/lemarche/utils/apis/api_brevo.py
@@ -9,6 +9,7 @@
 
 from lemarche.tenders.constants import AMOUNT_RANGE_CHOICE_EXACT
 from lemarche.utils.constants import EMAIL_SUBJECT_PREFIX
+from lemarche.utils.data import sanitize_to_send_by_email
 from lemarche.utils.urls import get_object_admin_url, get_object_share_url
 
 
@@ -40,12 +41,12 @@ def create_contact(user, list_id: int):
         email=user.email,
         list_ids=[list_id],
         attributes={
-            "NOM": user.last_name,
-            "PRENOM": user.first_name,
+            "NOM": sanitize_to_send_by_email(user.last_name.capitalize()),
+            "PRENOM": sanitize_to_send_by_email(user.first_name.capitalize()),
             "DATE_INSCRIPTION": user.created_at,
             "TYPE_ORGANISATION": user.buyer_kind_detail,
-            "NOM_ENTREPRISE": user.company_name,
-            "SMS": user.phone_display,
+            "NOM_ENTREPRISE": sanitize_to_send_by_email(user.company_name.capitalize()),
+            "SMS": sanitize_to_send_by_email(user.phone_display),
             # WHATSAPP, TYPE_ORGANISATION, LIEN_FICHE_COMMERCIALE, TAUX_DE_COMPLETION
         },
         ext_id=str(user.id),

diff --git a/lemarche/utils/data.py b/lemarche/utils/data.py
@@ -4,6 +4,7 @@
 from django.core.management import call_command
 from django.db import connection
 from django.utils.encoding import force_str
+from django.utils.html import escape, strip_tags
 
 
 def reset_app_sql_sequences(app_name):
@@ -111,3 +112,10 @@ def add_validation_error(dict, key, value):
         if type(dict[key]) is str:
             dict[key] = [dict[key], value]
     return dict
+
+
+def sanitize_to_send_by_email(value):
+    """
+    Sanitize a string to be sent by email (remove HTML tags to avoid XSS in first_name, last_name, etc.)
+    """
+    return escape(strip_tags(value))
diff --git a/lemarche/utils/emails.py b/lemarche/utils/emails.py
@@ -7,6 +7,7 @@
 from lemarche.users import constants as user_constants
 from lemarche.utils.apis import api_brevo, api_mailjet
 from lemarche.utils.constants import EMAIL_SUBJECT_PREFIX
+from lemarche.utils.data import sanitize_to_send_by_email
 
 
 GENERIC_EMAIL_DOMAIN_SUFFIX_LIST = [
@@ -80,11 +81,11 @@ def add_to_contact_list(user, type: str, source: str = user_constants.SOURCE_SIG
         raise ValueError("type must be defined")
     if contact_list_id:
         properties = {
-            "nom": user.last_name.capitalize(),
-            "prénom": user.first_name.capitalize(),
+            "nom": sanitize_to_send_by_email(user.last_name.capitalize()),
+            "prénom": sanitize_to_send_by_email(user.first_name.capitalize()),
             "pays": "france",
-            "nomsiae": user.company_name.capitalize() if user.company_name else "",
-            "poste": user.position.capitalize() if user.position else "",
+            "nomsiae": sanitize_to_send_by_email(user.company_name.capitalize()) if user.company_name else "",
+            "poste": sanitize_to_send_by_email(user.position.capitalize()) if user.position else "",
         }
 
         api_mailjet.add_to_contact_list_async(user.email, properties, contact_list_id)