Don't show unescaped user id in user-information form.

This applies PloneHotfix20160830.
plone · Sep 7, 2016 · 38284c2 · 38284c2
1 parent 44428b2
commit 38284c2
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 2 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -14,7 +14,8 @@ New features:
 
 Bug fixes:
 
-- *add item here*
+- Don't show unescaped user id in user-information form.
+  This applies PloneHotfix20160830.  [maurits]
 
 
 2.3.7 (2016-08-18)

diff --git a/plone/app/users/browser/userdatapanel.py b/plone/app/users/browser/userdatapanel.py
@@ -15,6 +15,9 @@
 from ..schema import IUserDataSchema
 from .schemaeditor import getFromBaseSchema
 
+import cgi
+
+
 
 class UserDataPanelAdapter(AccountPanelSchemaAdapter):
     """One does not simply set portrait, email might be used to login with.
@@ -72,7 +75,7 @@ def description(self):
             return _(
                 u'description_personal_information_form_otheruser',
                 default='Change personal information for $name',
-                mapping={'name': userid}
+                mapping={'name': cgi.escape(userid)}
             )
         else:
             # editing my own profile

diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py
@@ -0,0 +1,30 @@
+from plone.app.users.browser.userdatapanel import UserDataPanel
+from plone.app.users.testing import PLONE_APP_USERS_FUNCTIONAL_TESTING
+from zope.i18n import translate
+
+import unittest
+
+
+class TestUserDataPanel(unittest.TestCase):
+
+    layer = PLONE_APP_USERS_FUNCTIONAL_TESTING
+
+    def test_regression(self):
+        portal = self.layer['portal']
+        request = self.layer['request']
+        request.form.update({
+            'userid': 'admin'
+        })
+        form = UserDataPanel(portal, request)
+        description = translate(form.description, context=request)
+        self.assertTrue('admin' in description)
+
+    def test_escape_html(self):
+        portal = self.layer['portal']
+        request = self.layer['request']
+        request.form.update({
+            'userid': 'admin<script>alert("userid")</script>'
+        })
+        form = UserDataPanel(portal, request)
+        description = translate(form.description, context=request)
+        self.assertTrue('<script>' not in description)