Ensure invalid characters aren't in xform title

Signed-off-by: Mark Ekisa <[email protected]>
onaio · Feb 4, 2021 · 2511021 · 2511021
1 parent 871f13b
commit 2511021
Show file tree

Hide file tree

Showing 2 changed files with 33 additions and 2 deletions.
diff --git a/onadata/apps/api/tests/viewsets/test_xform_viewset.py b/onadata/apps/api/tests/viewsets/test_xform_viewset.py
@@ -2710,15 +2710,42 @@ def test_update_xform_using_put_with_invalid_input(self):
                 'public_data': False,
                 'project': 'http://testserver/api/v1/projects/{0}'.format(
                     self.xform.project.pk),
-                'title': 'Transport Form',
+                'title': 'http://api.kfc.burger-king.nandos.io',
                 'version': unsanitized_html_str
             }
 
+            with self.assertRaises(XLSFormError) as err:
+                request = self.factory.put('/', data=put_data, **self.extra)
+                response = view(request, pk=form_id)
+
+            self.assertEqual(
+                "Invalid title value; value shouldn't match a URL",
+                str(err.exception)
+            )
+
+            put_data['title'] = 'api.kfc.burger-king.nandos.io'
+
+            with self.assertRaises(XLSFormError) as err:
+                request = self.factory.put('/', data=put_data, **self.extra)
+                response = view(request, pk=form_id)
+
+            self.assertEqual(
+                "Invalid title value; value shouldn't match a URL",
+                str(err.exception)
+            )
+
+            put_data['title'] = 'Transport Form'
+
             # trigger error is form version is invalid
-            with self.assertRaises(XLSFormError):
+            with self.assertRaises(XLSFormError) as err:
                 request = self.factory.put('/', data=put_data, **self.extra)
                 response = view(request, pk=form_id)
 
+            self.assertEqual(
+                "Version shouldn't have any invalid characters ('>' '&' '<')",
+                str(err.exception)
+            )
+
             put_data['version'] = self.xform.version
 
             request = self.factory.put('/', data=put_data, **self.extra)

diff --git a/onadata/apps/logger/models/xform.py b/onadata/apps/logger/models/xform.py
@@ -818,6 +818,10 @@ def _set_title(self):
                 _("Title shouldn't have any invalid xml "
                   "characters ('>' '&' '<')"))
 
+        if re.search(r"([://.]+)", self.title):
+            raise XLSFormError(
+                _("Invalid title value; value shouldn't match a URL"))
+
         self.title = title_xml
 
     def _set_hash(self):