public virtual async Task <ActionResult> Contact(ContactSupportViewModel contactForm)
{
if (!ModelState.IsValid)
{
return(View());
}
var user = GetCurrentUser();
var request = new ContactSupportRequest
{
CopySender = contactForm.CopySender,
Message = contactForm.Message,
SubjectLine = contactForm.SubjectLine,
FromAddress = user.ToMailAddress(),
RequestingUser = user
};
var subject = $"Support Request for user '{user.Username}'";
await _supportRequestService.AddNewSupportRequestAsync(subject, contactForm.Message, user.EmailAddress, "Other", user);
_messageService.SendContactSupportEmail(request);
ModelState.Clear();
TempData["Message"] = "Your message has been sent to support. We'll be in contact with you shortly.";
return(View());
}
public async Task HtmlEncodesTheSupportRequest()
{
// arrage: the contact form, the expected encoding, and setup a user
var contactForm = new ContactSupportViewModel
{
Message = "<b>some html</b>",
SubjectLine = "maybe some malicious javascript: <script>alert('teh XSS hax')</script>"
};
var expectedMessage = HttpUtility.HtmlEncode(contactForm.Message);
var controller = GetController <PagesController>();
// Have to set this up first because it needs current user
controller.SetCurrentUser(new User
{
Username = "******",
UnconfirmedEmailAddress = "*****@*****.**",
EmailConfirmationToken = "aToken",
});
// act: run the controller action
await controller.Contact(contactForm);
// assert: the HTML encoded message was passed to the service
GetMock <ISupportRequestService>()
.Verify(m => m.AddNewSupportRequestAsync(
It.IsAny <string>(),
expectedMessage,
It.IsAny <string>(),
It.IsAny <string>(),
It.IsAny <User>(),
It.IsAny <Package>()));
}
public virtual async Task <ActionResult> Contact(ContactSupportViewModel contactForm)
{
if (!ModelState.IsValid)
{
return(View(contactForm));
}
// since HTML is allowed in these fields, encode it to avoid malicious HTML
contactForm.Message = HttpUtility.HtmlEncode(contactForm.Message);
contactForm.SubjectLine = HttpUtility.HtmlEncode(contactForm.SubjectLine);
var user = GetCurrentUser();
var subject = $"Support Request for user '{user.Username}'";
await _supportRequestService.AddNewSupportRequestAsync(subject, contactForm.Message, user.EmailAddress, "Other", user);
var emailMessage = new ContactSupportMessage(
_messageServiceConfiguration,
user.ToMailAddress(),
user,
contactForm.Message,
contactForm.SubjectLine,
contactForm.CopySender);
await _messageService.SendMessageAsync(emailMessage);
ModelState.Clear();
TempData["Message"] = "Your message has been sent to support. We'll be in contact with you shortly.";
return(View());
}
public async Task HtmlEncodesTheSupportContactEmail()
{
// arrage: the contact form, the expected encoding, and setup a user
var contactForm = new ContactSupportViewModel
{
Message = "<strong>Something with HTML in it</strong>",
SubjectLine = "<script>alert('malicious javascript perhaps')</script>"
};
var expectedMessage = HttpUtility.HtmlEncode(contactForm.Message);
var expectedSubjectLine = HttpUtility.HtmlEncode(contactForm.SubjectLine);
var controller = GetController <PagesController>();
// Have to set this up first because it needs current user
controller.SetCurrentUser(new User
{
Username = "******",
UnconfirmedEmailAddress = "*****@*****.**",
EmailConfirmationToken = "aToken",
});
// act: run the controller action
await controller.Contact(contactForm);
// assert: the HTML encoded message was passed to the service
GetMock <IMessageService>()
.Verify(m => m.SendContactSupportEmail(
It.Is <ContactSupportRequest>(c =>
c.Message == expectedMessage &&
c.SubjectLine == expectedSubjectLine)));
}
