mirror of
https://github.com/discourse/discourse.git
synced 2024-12-13 09:53:44 +08:00
5ee31cbf7d
* FIX: Mark invites flash messages as HTML safe. This change should be safe as all user inputs included in the errors are sanitized before sending it back to the client. Context: https://meta.discourse.org/t/html-tags-are-explicit-after-latest-update/214220 * If somebody adds a new error message that includes user input and doesn't sanitize it, using html-safe suddenly becomes unsafe again. As an extra layer of protection, we make the client sanitize the error message received from the backend. * Escape user input instead of sanitizing
58 lines
1.8 KiB
Ruby
58 lines
1.8 KiB
Ruby
# frozen_string_literal: true
|
|
|
|
class EmailValidator < ActiveModel::EachValidator
|
|
|
|
def validate_each(record, attribute, value)
|
|
unless value =~ EmailValidator.email_regex
|
|
if Invite === record && attribute == :email
|
|
record.errors.add(:base, I18n.t(:'invite.invalid_email', email: CGI.escapeHTML(value)))
|
|
else
|
|
record.errors.add(attribute, I18n.t(:'user.email.invalid'))
|
|
end
|
|
invalid = true
|
|
end
|
|
|
|
unless EmailValidator.allowed?(value)
|
|
record.errors.add(attribute, I18n.t(:'user.email.not_allowed'))
|
|
invalid = true
|
|
end
|
|
|
|
if !invalid && ScreenedEmail.should_block?(value)
|
|
record.errors.add(attribute, I18n.t(:'user.email.blocked'))
|
|
end
|
|
end
|
|
|
|
def self.allowed?(email)
|
|
if (setting = SiteSetting.allowed_email_domains).present?
|
|
return email_in_restriction_setting?(setting, email) || is_developer?(email)
|
|
elsif (setting = SiteSetting.blocked_email_domains).present?
|
|
return !(email_in_restriction_setting?(setting, email) && !is_developer?(email))
|
|
end
|
|
|
|
true
|
|
end
|
|
|
|
def self.can_auto_approve_user?(email)
|
|
if (setting = SiteSetting.auto_approve_email_domains).present?
|
|
return !!(EmailValidator.allowed?(email) && email_in_restriction_setting?(setting, email))
|
|
end
|
|
|
|
false
|
|
end
|
|
|
|
def self.email_in_restriction_setting?(setting, value)
|
|
domains = setting.gsub('.', '\.')
|
|
regexp = Regexp.new("@(.+\\.)?(#{domains})$", true)
|
|
value =~ regexp
|
|
end
|
|
|
|
def self.is_developer?(value)
|
|
Rails.configuration.respond_to?(:developer_emails) && Rails.configuration.developer_emails.include?(value)
|
|
end
|
|
|
|
def self.email_regex
|
|
/\A[a-zA-Z0-9!#\$%&'*+\/=?\^_`{|}~\-]+(?:\.[a-zA-Z0-9!#\$%&'\*+\/=?\^_`{|}~\-]+)*@(?:[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?\.)+[a-zA-Z0-9](?:[a-zA-Z0-9\-]*[a-zA-Z0-9])?$\z/
|
|
end
|
|
|
|
end
|