1990 validate input fields on put form endpoint requests

onadata/apps/api/tests/viewsets/test_xform_viewset.py

@@ -27,6 +27,7 @@
 from django.http import HttpResponseRedirect
 from django.test.utils import override_settings
 from django.utils.dateparse import parse_datetime
+from django.utils.html import conditional_escape
 from django.utils.timezone import utc
 from django_digest.test import DigestAuth
 from httmock import HTTMock
@@ -2687,6 +2688,52 @@ def test_update_xform_dropbox_url(self, mock_urlopen):
             self.assertEquals(self.xform.version, "212121211")
             self.assertEquals(form_id, self.xform.pk)
 
+    def test_update_xform_using_put_with_invalid_input(self):
+        with HTTMock(enketo_mock):
+            self._publish_xls_form_to_project()
+            form_id = self.xform.pk
+
+            unsanitized_html_str = "<h1>HTML Injection testing</h1>"
+            version = unsanitized_html_str
+            view = XFormViewSet.as_view({
+                'put': 'update',
+            })
+
+            put_data = {
+                'uuid': 'ae631e898bd34ced91d2a309d8b72das',
+                'description': unsanitized_html_str,
+                'downloadable': False,
+                'owner': 'http://testserver/api/v1/users/{0}'.
+                format(self.user),
+                'created_by':
+                'http://testserver/api/v1/users/{0}'.format(self.user),
+                'public': False,
+                'public_data': False,
+                'project': 'http://testserver/api/v1/projects/{0}'.format(
+                    self.xform.project.pk),
+                'title': 'Transport Form',
+                'version': unsanitized_html_str
+            }
+
+            # trigger error is form version is invalid
+            with self.assertRaises(XLSFormError):
+                request = self.factory.put('/', data=put_data, **self.extra)
+                response = view(request, pk=form_id)
+
+            put_data['version'] = self.xform.version
+
+            request = self.factory.put('/', data=put_data, **self.extra)
+            response = view(request, pk=form_id)
+            self.assertEqual(response.status_code, 200, response.data)
+
+            self.xform.refresh_from_db()
+
+            # check that description has been sanitized
+            self.assertEquals(
+                conditional_escape(unsanitized_html_str),
+                self.xform.description
+            )
+
     def test_update_xform_using_put(self):
         with HTTMock(enketo_mock):
             self._publish_xls_form_to_project()

onadata/apps/logger/models/xform.py

@@ -33,6 +33,7 @@
 
 from onadata.apps.logger.xform_instance_parser import (XLSFormError,
                                                        clean_and_parse_xml)
+from django.utils.html import conditional_escape
 from onadata.libs.models.base_model import BaseModel
 from onadata.libs.utils.cache_tools import (
     IS_ORG, PROJ_BASE_FORMS_CACHE, PROJ_FORMS_CACHE,
@@ -901,6 +902,13 @@ def save(self, *args, **kwargs):
                         'in settings sheet or reduce the file name if you do'
                         ' not have a settings sheets.' % self.MAX_ID_LENGTH))
 
+        if contains_xml_invalid_char(self.version):
+            raise XLSFormError(
+                _("Version shouldn't have any invalid "
+                  "characters ('>' '&' '<')"))
+
+        self.description = conditional_escape(self.description)
+
         super(XForm, self).save(*args, **kwargs)
 
     def __str__(self):