Merge pull request #1218 from NASA-IMPACT/1217-add-data-validation-to-the-feedback-form-api-to-restrict-html-content

HTML validator has been set at serializer level

Author: bishwaspraveen

CHANGELOG.md

@@ -12,3 +12,10 @@ For each PR made, an entry should be added to this changelog. It should contain
   - etc.
 
 ## Changelog
+
+- 1217-add-data-validation-to-the-feedback-form-api-to-restrict-html-content
+  - Description: The feedback form API does not currently have any form of data validation on the backend which makes it easy for the user with the endpoint to send in data with html tags. We need to have a validation scheme on the backend to protect this from happening.
+  - Changes:
+    - Defined a class `HTMLFreeCharField` which inherits `serializers.CharField`
+    - Used regex to catch any HTML content comming in as an input to form fields
+    - Called this class within the serializer for necessary fields

feedback/serializers.py

@@ -1,9 +1,27 @@
+import re
+
 from rest_framework import serializers
 
 from .models import ContentCurationRequest, Feedback
 
 
+class HTMLFreeCharField(serializers.CharField):
+    def to_internal_value(self, data):
+        value = super().to_internal_value(data)
+
+        if re.search(r"<[^>]+>", value):
+            raise serializers.ValidationError("HTML tags are not allowed in this field")
+
+        return value
+
+
 class FeedbackSerializer(serializers.ModelSerializer):
+
+    name = HTMLFreeCharField()
+    subject = HTMLFreeCharField()
+    comments = HTMLFreeCharField()
+    source = HTMLFreeCharField()
+
     class Meta:
         model = Feedback
         fields = [