public virtual async Task <ActionResult> Contact(ContactSupportViewModel contactForm) { if (!ModelState.IsValid) { return(View()); } var user = GetCurrentUser(); var request = new ContactSupportRequest { CopySender = contactForm.CopySender, Message = contactForm.Message, SubjectLine = contactForm.SubjectLine, FromAddress = user.ToMailAddress(), RequestingUser = user }; var subject = $"Support Request for user '{user.Username}'"; await _supportRequestService.AddNewSupportRequestAsync(subject, contactForm.Message, user.EmailAddress, "Other", user); _messageService.SendContactSupportEmail(request); ModelState.Clear(); TempData["Message"] = "Your message has been sent to support. We'll be in contact with you shortly."; return(View()); }
public async Task HtmlEncodesTheSupportRequest() { // arrage: the contact form, the expected encoding, and setup a user var contactForm = new ContactSupportViewModel { Message = "<b>some html</b>", SubjectLine = "maybe some malicious javascript: <script>alert('teh XSS hax')</script>" }; var expectedMessage = HttpUtility.HtmlEncode(contactForm.Message); var controller = GetController <PagesController>(); // Have to set this up first because it needs current user controller.SetCurrentUser(new User { Username = "******", UnconfirmedEmailAddress = "*****@*****.**", EmailConfirmationToken = "aToken", }); // act: run the controller action await controller.Contact(contactForm); // assert: the HTML encoded message was passed to the service GetMock <ISupportRequestService>() .Verify(m => m.AddNewSupportRequestAsync( It.IsAny <string>(), expectedMessage, It.IsAny <string>(), It.IsAny <string>(), It.IsAny <User>(), It.IsAny <Package>())); }
public virtual async Task <ActionResult> Contact(ContactSupportViewModel contactForm) { if (!ModelState.IsValid) { return(View(contactForm)); } // since HTML is allowed in these fields, encode it to avoid malicious HTML contactForm.Message = HttpUtility.HtmlEncode(contactForm.Message); contactForm.SubjectLine = HttpUtility.HtmlEncode(contactForm.SubjectLine); var user = GetCurrentUser(); var subject = $"Support Request for user '{user.Username}'"; await _supportRequestService.AddNewSupportRequestAsync(subject, contactForm.Message, user.EmailAddress, "Other", user); var emailMessage = new ContactSupportMessage( _messageServiceConfiguration, user.ToMailAddress(), user, contactForm.Message, contactForm.SubjectLine, contactForm.CopySender); await _messageService.SendMessageAsync(emailMessage); ModelState.Clear(); TempData["Message"] = "Your message has been sent to support. We'll be in contact with you shortly."; return(View()); }
public async Task HtmlEncodesTheSupportContactEmail() { // arrage: the contact form, the expected encoding, and setup a user var contactForm = new ContactSupportViewModel { Message = "<strong>Something with HTML in it</strong>", SubjectLine = "<script>alert('malicious javascript perhaps')</script>" }; var expectedMessage = HttpUtility.HtmlEncode(contactForm.Message); var expectedSubjectLine = HttpUtility.HtmlEncode(contactForm.SubjectLine); var controller = GetController <PagesController>(); // Have to set this up first because it needs current user controller.SetCurrentUser(new User { Username = "******", UnconfirmedEmailAddress = "*****@*****.**", EmailConfirmationToken = "aToken", }); // act: run the controller action await controller.Contact(contactForm); // assert: the HTML encoded message was passed to the service GetMock <IMessageService>() .Verify(m => m.SendContactSupportEmail( It.Is <ContactSupportRequest>(c => c.Message == expectedMessage && c.SubjectLine == expectedSubjectLine))); }