matomo: detect html tags in tracking_js (#32948)

hobo/matomo/forms.py

@@ -31,6 +31,14 @@ class SettingsForm(forms.Form):
         required=False,
         widget=forms.Textarea())
 
+    def clean_tracking_js(self):
+        value = self.cleaned_data['tracking_js']
+        if '<script' in value:
+            raise forms.ValidationError(
+                _('This field should only contain the Javascript code. '
+                  'You should remove the surrounding <script> markup.'))
+        return value
+
 
 class EnableForm(forms.Form):
     pass

tests/test_matomo_views.py

@@ -7,11 +7,10 @@ import re
 from requests import Response
 from webtest import TestApp
 
-from django.conf import settings
 from django.contrib.auth.models import User
 from django.test import override_settings
 
-from hobo.environment.models import Variable, Wcs, Combo, Fargo
+from hobo.environment.models import Wcs, Combo, Fargo
 from hobo.wsgi import application
 
 pytestmark = pytest.mark.django_db
@@ -123,25 +122,38 @@ def test_enable_manual(admin_user):
     app = login(TestApp(application))
 
     # get matomo's validation page
-    resp1 = app.get('/visits-tracking/enable-manual', status=200)
-    assert re.search('<textarea.* name="tracking_js"', resp1.body)
+    resp = app.get('/visits-tracking/enable-manual', status=200)
+    assert re.search('<textarea.* name="tracking_js"', resp.body)
 
     # validate and get matomo's home page
-    resp1.form['tracking_js'] = '...js_code_1...'
-    resp2 = resp1.form.submit().follow()
-    assert resp2.body.find('Manual configuration.')
-    assert re.search('<textarea.* name="tracking_js"', resp2.body)
-    assert resp2.body.find('...js_code_1...</textarea>') != -1
-    assert resp2.body.find('<button class="submit-button">Save</button>') != -1
+    resp.form['tracking_js'] = '...js_code_1...'
+    resp = resp.form.submit().follow()
+    assert resp.body.find('Manual configuration.')
+    assert re.search('<textarea.* name="tracking_js"', resp.body)
+    assert resp.body.find('...js_code_1...</textarea>') != -1
+    assert resp.body.find('<button class="submit-button">Save</button>') != -1
 
     # update JS code on matomo's home page
-    resp2.form['tracking_js'] = '...js_code_2...'
-    resp3 = resp2.form.submit().follow()
-    assert resp3.body.find('Manual configuration.') != -1
-    assert re.search('<textarea.* name="tracking_js"', resp3.body)
-    assert resp3.body.find('...js_code_2...</textarea>') != -1
-    assert resp3.body.find('<button class="submit-button">Save</button>') != -1
-    assert resp3.body.find('Good respect of user rights') != -1
+    resp.form['tracking_js'] = '...js_code_2...'
+    resp = resp.form.submit().follow()
+    assert resp.body.find('Manual configuration.') != -1
+    assert re.search('<textarea.* name="tracking_js"', resp.body)
+    assert resp.body.find('...js_code_2...</textarea>') != -1
+    assert resp.body.find('<button class="submit-button">Save</button>') != -1
+    assert resp.body.find('Good respect of user rights') != -1
+
+    # check html tags
+    resp.form['tracking_js'] = '<script>...js_code_2...</script>'
+    resp = resp.form.submit()
+    assert (
+        '<ul class="errorlist"><li>This field should only contain the Javascript code. '
+        'You should remove the surrounding &lt;script&gt; markup.</li></ul>') in resp.text
+    resp.form['tracking_js'] = '<script >'
+    resp = resp.form.submit()
+    assert (
+        '<ul class="errorlist"><li>This field should only contain the Javascript code. '
+        'You should remove the surrounding &lt;script&gt; markup.</li></ul>') in resp.text
+
 
 def test_available_options(admin_user):
     """check available buttons (manual/automatic configurations)"""