Merge pull request #61 from plone/apply-hotfix-20160830-12x

Apply hotfix 20160830 12x
plone · Sep 7, 2016 · 51245a2 · 51245a2
2 parents 2e5bdaf + 5dc8328
commit 51245a2
Show file tree

Hide file tree

Showing 3 changed files with 49 additions and 4 deletions.
diff --git a/CHANGES.rst b/CHANGES.rst
@@ -4,13 +4,17 @@ Changelog
 1.2.5 (unreleased)
 ------------------
 
-New:
+New features:
 
 - *add item here*
 
-Fixes:
+Bug fixes:
 
-- *add item here*
+- Give a 404 when the user-information form is called with a not
+  existing userid.  [maurits]
+
+- Don't show unescaped user id in user-information form.
+  This applies PloneHotfix20160830.  [maurits]
 
 
 1.2.4 (2016-02-24)

diff --git a/plone/app/users/browser/personalpreferences.py b/plone/app/users/browser/personalpreferences.py
@@ -25,6 +25,9 @@
 from Products.CMFPlone.utils import set_own_login_name, safe_unicode
 from Products.Five.browser.pagetemplatefile import ViewPageTemplateFile
 from Products.statusmessages.interfaces import IStatusMessage
+from zExceptions import NotFound
+
+import cgi
 
 
 class IPersonalPreferences(Interface):
@@ -298,7 +301,7 @@ def description(self):
             #editing someone else's profile
             return _(u'description_personal_information_form_otheruser',
                      default='Change personal information for $name',
-                     mapping={'name': self.userid})
+                     mapping={'name': cgi.escape(self.userid)})
         else:
             #editing my own profile
             return _(u'description_personal_information_form',
@@ -320,6 +323,14 @@ def getPortrait(self):
         context = aq_inner(self.context)
         return context.portal_membership.getPersonalPortrait()
 
+    def __call__(self):
+        if self.userid:
+            context = aq_inner(self.context)
+            mt = getToolByName(context, 'portal_membership')
+            if mt.getMemberById(self.userid) is None:
+                raise NotFound('User does not exist.')
+        return super(UserDataPanel, self).__call__()
+
 
 class UserDataConfiglet(UserDataPanel):
     """ """

diff --git a/plone/app/users/tests/test_user_data_panel.py b/plone/app/users/tests/test_user_data_panel.py
@@ -0,0 +1,30 @@
+from plone.app.users.browser.personalpreferences import UserDataPanel
+from plone.app.users.tests.base import TestCase
+from zExceptions import NotFound
+from zope.i18n import translate
+
+
+class TestUserDataPanel(TestCase):
+
+    def test_regression(self):
+        portal = self.portal
+        request = portal.REQUEST
+        request.form.update({
+            'userid': 'admin'
+        })
+        form = UserDataPanel(portal, request)
+        description = translate(form.description, context=request)
+        self.assertTrue('admin' in description)
+        # form can be called without raising exception.
+        self.assertTrue(form())
+
+    def test_escape_html(self):
+        portal = self.portal
+        request = portal.REQUEST
+        request.form.update({
+            'userid': 'admin<script>alert("userid")</script>'
+        })
+        form = UserDataPanel(portal, request)
+        description = translate(form.description, context=request)
+        self.assertTrue('<script>' not in description)
+        self.assertRaises(NotFound, form)