(While we do wrap the following in outgoing.* URLs, we still shouldn't permit this.) When I enter ';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT> into the homepage field on https://preview.addons.mozilla.org/z/en-US/firefox/users/edit#user-profile and click Update, it gets accepted. I can then see it on https://preview.addons.mozilla.org/z/en-US/firefox/user/235535/ On prod, trying to do that, I get "This URL has an invalid format. Valid URLs look like http://example.com/my_page."
Look into the django clean_* methods. The regex we used to validate on remora was /^https?:\/\/([a-z0-9][a-z0-9-]*\.)+([a-z]+)(:[0-9]+)?(\/|$)/i Same warning as before. This model is hoppin' - rebase often.
Assignee: nobody → chenba
Homepage validation with regex: http://github.com/chenba/zamboni/commit/1f1ff3e67aa6450c69d11acc3ce94442a774b430 The occupation field is mentioned in the bug title, but there aren't any comments on what's acceptable. Plz advise.
I'm not worried about occupation
Summary: Need to better-validate user input on homepage and occupation fields → Need to better-validate user input on homepage field
a) @clouserw: I don't think isValidURL() is in django anymore, at least I couldn't find it. b) jbalogh's suggestion of using URLValidator kind of answered my unasked question of "why wasn't homepage a URLField?" It is now: http://github.com/chenba/zamboni/commit/6d240cd8cc526119d6068e6400f744ed6b314b4b
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Target Milestone: 5.12 → 5.11.9
Verified FIXED; I'm now getting the following error message: "This URL has an invalid format. Valid URLs look like http://example.com/my_page."
Status: RESOLVED → VERIFIED
Product: addons.mozilla.org → addons.mozilla.org Graveyard
You need to log in before you can comment on or make changes to this bug.