fix: name field validations (#33429)

openedx/core/djangoapps/user_api/accounts/api.py

@@ -404,9 +404,23 @@ def get_name_validation_error(name):
     :return: Validation error message.
 
     """
+
+    def contains_html(value):
+        """
+        Validator method to check whether name contains html tags
+        """
+        regex = re.compile('(<|>)', re.UNICODE)
+        return bool(regex.search(value))
+
+    def contains_url(value):
+        """
+        Validator method to check whether full name contains url
+        """
+        regex = re.findall(r'https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))*', value)
+        return bool(regex)
+
     if name:
-        regex = re.findall(r'https|http?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', name)
-        return _('Enter a valid name') if bool(regex) else ''
+        return _('Enter a valid name') if (contains_html(name) or contains_url(name)) else ''
     else:
         return accounts.REQUIRED_FIELD_NAME_MSG
 

openedx/core/djangoapps/user_api/accounts/tests/testutils.py

@@ -9,7 +9,12 @@
 INVALID_NAMES = [
     None,
     '',
-    ''
+    'http://',
+    'https://',
+    '<html_name>',
+    'https://www.example.com',
+    'Valid name http://www.example.com',
+    'Valid name <tag>',
 ]
 
 INVALID_USERNAMES_ASCII = [

openedx/core/djangoapps/user_authn/views/registration_form.py

@@ -93,7 +93,7 @@ def contains_url(value):
     """
     Validator method to check whether full name contains url
     """
-    regex = re.findall(r'https|http?://(?:[-\w.]|(?:%[\da-fA-F]{2}))+', value)
+    regex = re.findall(r'https?://(?:[-\w.]|(?:%[\da-fA-F]{2}))*', value)
     return bool(regex)
 
 

openedx/core/djangoapps/user_authn/views/tests/test_register.py

@@ -294,6 +294,45 @@ def test_register_fullname_url_validation_error(self):
             }
         )
 
+        # testing for http/https
+        response = self.client.post(self.url, {
+            "email": "[email protected]",
+            "name": "http://",
+            "username": "bob",
+            "password": "password",
+            "honor_code": "true",
+        })
+        assert response.status_code == 400
+        response_json = json.loads(response.content.decode('utf-8'))
+        self.assertDictEqual(
+            response_json,
+            {
+                "name": [{"user_message": 'Enter a valid name'}],
+                "error_code": "validation-error"
+            }
+        )
+
+    def test_register_fullname_html_validation_error(self):
+        """
+        Test for catching invalid full name errors
+        """
+        response = self.client.post(self.url, {
+            "email": "[email protected]",
+            "name": "<Bob Smith>",
+            "username": "bob",
+            "password": "password",
+            "honor_code": "true",
+        })
+        assert response.status_code == 400
+        response_json = json.loads(response.content.decode('utf-8'))
+        self.assertDictEqual(
+            response_json,
+            {
+                'name': [{'user_message': 'Full Name cannot contain the following characters: < >'}],
+                "error_code": "validation-error"
+            }
+        )
+
     def test_register_duplicate_username_account_validation_error(self):
         # Register the first user
         response = self.client.post(self.url, {