From 04ecf44c2f78ae29911027352a3e9fb21187e20c Mon Sep 17 00:00:00 2001 From: Patrick Figel Date: Tue, 2 Jan 2018 16:55:00 +0100 Subject: Add confirmation step for email changes (#6071) * Add confirmation step for email changes This adds a confirmation step for email changes of existing users. Like the initial account confirmation, a confirmation link is sent to the new address. Additionally, a notification is sent to the existing address when the change is initiated. This message includes instruction to reset the password immediately or to contact the instance admin if the change was not initiated by the account owner. Fixes #3871 * Add review fixes --- spec/mailers/user_mailer_spec.rb | 26 ++++++++++++++++++++++++++ 1 file changed, 26 insertions(+) (limited to 'spec') diff --git a/spec/mailers/user_mailer_spec.rb b/spec/mailers/user_mailer_spec.rb index 1f6d44015..9f17993e0 100644 --- a/spec/mailers/user_mailer_spec.rb +++ b/spec/mailers/user_mailer_spec.rb @@ -33,6 +33,20 @@ describe UserMailer, type: :mailer do instance: Rails.configuration.x.local_domain end + describe 'reconfirmation_instructions' do + let(:mail) { UserMailer.confirmation_instructions(receiver, 'spec') } + + it 'renders reconfirmation instructions' do + receiver.update!(email: 'new-email@example.com', locale: nil) + expect(mail.body.encoded).to include 'new-email@example.com' + expect(mail.body.encoded).to include 'spec' + expect(mail.body.encoded).to include Rails.configuration.x.local_domain + expect(mail.subject).to eq I18n.t('devise.mailer.reconfirmation_instructions.subject', + instance: Rails.configuration.x.local_domain, + locale: I18n.default_locale) + end + end + describe 'reset_password_instructions' do let(:mail) { UserMailer.reset_password_instructions(receiver, 'spec') } @@ -57,4 +71,16 @@ describe UserMailer, type: :mailer do include_examples 'localized subject', 'devise.mailer.password_change.subject' end + + describe 'email_changed' do + let(:mail) { UserMailer.email_changed(receiver) } + + it 'renders email change notification' do + receiver.update!(locale: nil) + expect(mail.body.encoded).to include receiver.email + end + + include_examples 'localized subject', + 'devise.mailer.email_changed.subject' + end end -- cgit From 545095b3ce312b42ba304d0bb2c76727826e27b4 Mon Sep 17 00:00:00 2001 From: puckipedia Date: Wed, 3 Jan 2018 03:54:08 +0100 Subject: [!] Sanitize incoming classlist properly (#6162) * Sanitize classlist properly * Actually properly sanitize every class after the first * Improve Formatter spec to check for multiple classes and non-space whitespace --- app/lib/sanitize_config.rb | 8 ++++---- spec/lib/formatter_spec.rb | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) (limited to 'spec') diff --git a/app/lib/sanitize_config.rb b/app/lib/sanitize_config.rb index f09288fcd..c2b466924 100644 --- a/app/lib/sanitize_config.rb +++ b/app/lib/sanitize_config.rb @@ -6,14 +6,14 @@ class Sanitize CLASS_WHITELIST_TRANSFORMER = lambda do |env| node = env[:node] - class_list = node['class']&.split(' ') + class_list = node['class']&.split(/[\t\n\f\r ]/) return unless class_list class_list.keep_if do |e| - return true if e =~ /^(h|p|u|dt|e)-/ # microformats classes - return true if e =~ /^(mention|hashtag)$/ # semantic classes - return true if e =~ /^(ellipsis|invisible)$/ # link formatting classes + next true if e =~ /^(h|p|u|dt|e)-/ # microformats classes + next true if e =~ /^(mention|hashtag)$/ # semantic classes + next true if e =~ /^(ellipsis|invisible)$/ # link formatting classes end node['class'] = class_list.join(' ') diff --git a/spec/lib/formatter_spec.rb b/spec/lib/formatter_spec.rb index 71b6b78d2..e79be3645 100644 --- a/spec/lib/formatter_spec.rb +++ b/spec/lib/formatter_spec.rb @@ -332,7 +332,7 @@ RSpec.describe Formatter do end context 'contains malicious classes' do - let(:text) { 'Show more' } + let(:text) { 'Show more' } it 'strips malicious classes' do is_expected.to_not include 'status__content__spoiler-link' -- cgit