1680: add sanitation of error-message from potentially external account_link partner

kkoehn · kkoehn · commit 1818ac35bd8a · 2025-02-04T22:04:29.000+01:00
diff --git a/app/services/task_service/push_external.rb b/app/services/task_service/push_external.rb
@@ -12,11 +12,10 @@ def execute
       body = @zip.string
       begin
         response = connection.post {|request| request_parameters(request, body) }
-        if response.success?
-          nil
-        else
-          response.status == 401 ? I18n.t('tasks.export_external_confirm.not_authorized', account_link: @account_link.name) : response.body
-        end
+        return nil if response.success?
+        return I18n.t('tasks.export_external_confirm.not_authorized', account_link: @account_link.name) if response.status == 401
+
+        ERB::Util.html_escape(response.body)
       rescue StandardError => e
         e
       end
diff --git a/config/locales/de/controllers/tasks.yml b/config/locales/de/controllers/tasks.yml
@@ -7,7 +7,7 @@ de:
     duplicate:
       error_alert: Die Aufgabe konnte nicht dupliziert werden.
     export_external_confirm:
-      error: 'Der Export der Aufgabe (%{title}) ist fehlgeschlagen. <br> Fehler: %{error}'
+      error: 'Der Export der Aufgabe (%{title}) ist fehlgeschlagen. <br><br> Fehler: %{error}'
       not_authorized: Die Autorisierung mit "%{account_link}" konnte nicht hergestellt werden. Ist der API-Schlüssel korrekt?
       success: Aufgabe (%{title}) erfolgreich exportiert.
     import:
diff --git a/config/locales/en/controllers/tasks.yml b/config/locales/en/controllers/tasks.yml
@@ -7,7 +7,7 @@ en:
     duplicate:
       error_alert: Task could not be duplicated
     export_external_confirm:
-      error: 'Export of task (%{title}) failed. <br> Error: %{error}'
+      error: 'Export of task (%{title}) failed. <br><br> Error: %{error}'
       not_authorized: Authorization with could not be established with "%{account_link}". Is the API Key correct?
       success: Task (%{title}) successfully exported.
     import:
diff --git a/spec/services/task_service/push_external_spec.rb b/spec/services/task_service/push_external_spec.rb
@@ -51,7 +51,13 @@
         let(:status) { 500 }
         let(:response) { 'an error occured' }
 
-        it { is_expected.to be response }
+        it { is_expected.to eql response }
+
+        context 'when response contains problematic characters' do
+          let(:response) { 'an <error> occurred' }
+
+          it { is_expected.to eql 'an &lt;error&gt; occurred' }
+        end
       end
 
       context 'when response status is 401' do
