CCM-12065: Url validation (#700)

Co-authored-by: alex.nuttall1 <[email protected]>

Author: ClareJonesBJSS

frontend/src/__tests__/components/forms/EmailTemplateForm/server-action.test.ts

@@ -68,6 +68,28 @@ describe('CreateEmailTemplate server actions', () => {
     });
   });
 
+  it('create-email-template - should return response when when template message contains insecure url', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-email-template',
+        emailTemplateName: 'template-name',
+        emailTemplateSubjectLine: 'template-subject-line',
+        emailTemplateMessage: '**a message linking to http://www.example.com**',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          emailTemplateMessage: ['URLs must start with https://'],
+        },
+      },
+    });
+  });
+
   test('should save the template and redirect', async () => {
     saveTemplateMock.mockResolvedValue({
       ...initialState,

frontend/src/__tests__/components/forms/NhsAppTemplateForm/server-action.test.ts

@@ -71,6 +71,50 @@ describe('CreateNHSAppTemplate server actions', () => {
     });
   });
 
+  it('create-nhs-app-template - should return response when when template message contains insecure url', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-nhs-app-template',
+        nhsAppTemplateName: 'template-name',
+        nhsAppTemplateMessage:
+          '**a message linking to http://www.example.com**',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          nhsAppTemplateMessage: ['URLs must start with https://'],
+        },
+      },
+    });
+  });
+
+  it('create-nhs-app-template - should return response when when template message contains link with angle brackets', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-nhs-app-template',
+        nhsAppTemplateName: 'template-name',
+        nhsAppTemplateMessage:
+          '**a message linking to [example.com](https://www.example.com/withparams?param1=<>)**',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          nhsAppTemplateMessage: ['URLs cannot include the symbols < or >'],
+        },
+      },
+    });
+  });
+
   test('should save the template and redirect', async () => {
     saveTemplateMock.mockResolvedValue({
       ...savedState,
@@ -98,6 +142,36 @@ describe('CreateNHSAppTemplate server actions', () => {
     );
   });
 
+  test('should save a template that contains a url with angle brackets, if they are url encoded', async () => {
+    saveTemplateMock.mockResolvedValue({
+      ...savedState,
+      name: 'template-name',
+      message:
+        '**a message linking to [example.com](https://www.example.com/withparams?param1=%3C%3E)**',
+    });
+
+    await processFormActions(
+      savedState,
+      getMockFormData({
+        nhsAppTemplateName: 'template-name',
+        nhsAppTemplateMessage:
+          '**a message linking to [example.com](https://www.example.com/withparams?param1=%3C%3E)**',
+      })
+    );
+
+    expect(saveTemplateMock).toHaveBeenCalledWith({
+      ...savedState,
+      name: 'template-name',
+      message:
+        '**a message linking to [example.com](https://www.example.com/withparams?param1=%3C%3E)**',
+    });
+
+    expect(redirectMock).toHaveBeenCalledWith(
+      `/preview-nhs-app-template/template-id?from=edit`,
+      'push'
+    );
+  });
+
   test('should create the template and redirect', async () => {
     createTemplateMock.mockResolvedValue(savedState);
 

frontend/src/__tests__/components/forms/SmsTemplateForm/server-action.test.ts

@@ -65,6 +65,28 @@ describe('CreateSmsTemplate server actions', () => {
     });
   });
 
+  it('create-sms-template - should return response when when template message contains insecure url', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-sms-template',
+        smsTemplateName: 'template-name',
+        smsTemplateMessage:
+          'a message linking to http://www.example.com with http',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          smsTemplateMessage: ['URLs must start with https://'],
+        },
+      },
+    });
+  });
+
   test('should save the template and redirect', async () => {
     saveTemplateMock.mockResolvedValue({
       ...initialState,

frontend/src/components/forms/EmailTemplateForm/server-action.ts

@@ -27,6 +27,9 @@ export const $EmailTemplateFormSchema = z.object({
     .min(1, { message: form.emailTemplateMessage.error.empty })
     .max(MAX_EMAIL_CHARACTER_LENGTH, {
       message: form.emailTemplateMessage.error.max,
+    })
+    .refine((templateMessage) => !templateMessage.includes('http://'), {
+      message: form.emailTemplateMessage.error.insecureLink,
     }),
 });
 

frontend/src/components/forms/NhsAppTemplateForm/server-action.ts

@@ -1,3 +1,4 @@
+import markdownit from 'markdown-it';
 import {
   TemplateFormState,
   NHSAppTemplate,
@@ -14,14 +15,41 @@ const {
   },
 } = content;
 
+const hasInvalidCharactersInLinks = (message: string): boolean => {
+  const md = markdownit();
+
+  const parsedMessage = md.parseInline(message, {});
+  // [] branch should be unreachable
+  /* istanbul ignore next */
+  const tokens = parsedMessage[0]?.children || [];
+
+  for (const token of tokens) {
+    if (token.type === 'link_open') {
+      const href = token.attrGet('href');
+      if (href && !message.includes(href)) {
+        // markdown-it url-encodes angle brackets during parsing, so the original url must have included them
+        return true;
+      }
+    }
+  }
+  return false;
+};
+
 export const $CreateNhsAppTemplateSchema = z.object({
   nhsAppTemplateName: z
     .string({ message: form.nhsAppTemplateName.error.empty })
     .min(1, { message: form.nhsAppTemplateName.error.empty }),
   nhsAppTemplateMessage: z
     .string({ message: form.nhsAppTemplateMessage.error.empty })
     .min(1, { message: form.nhsAppTemplateMessage.error.empty })
-    .max(5000, { message: form.nhsAppTemplateMessage.error.max }),
+    .max(5000, { message: form.nhsAppTemplateMessage.error.max })
+    .refine((templateMessage) => !templateMessage.includes('http://'), {
+      message: form.nhsAppTemplateMessage.error.insecureLink,
+    })
+    .refine(
+      (templateMessage) => !hasInvalidCharactersInLinks(templateMessage),
+      { message: form.nhsAppTemplateMessage.error.invalidUrlCharacter }
+    ),
 });
 
 export async function processFormActions(

frontend/src/components/forms/SmsTemplateForm/server-action.ts

@@ -24,6 +24,9 @@ export const $CreateSmsTemplateSchema = z.object({
     .min(1, { message: form.smsTemplateMessage.error.empty })
     .max(MAX_SMS_CHARACTER_LENGTH, {
       message: form.smsTemplateMessage.error.max,
+    })
+    .refine((templateMessage) => !templateMessage.includes('http://'), {
+      message: form.smsTemplateMessage.error.insecureLink,
     }),
 });
 

frontend/src/content/content.ts

@@ -10,6 +10,7 @@ const goBackButtonText = 'Go back';
 const enterATemplateName = 'Enter a template name';
 const enterATemplateMessage = 'Enter a template message';
 const templateMessageTooLong = 'Template message too long';
+const templateMessageHasInsecureLink = 'URLs must start with https://';
 const selectAnOption = 'Select an option';
 
 const header = {
@@ -793,6 +794,8 @@ const templateFormNhsApp = {
       error: {
         empty: enterATemplateMessage,
         max: templateMessageTooLong,
+        insecureLink: templateMessageHasInsecureLink,
+        invalidUrlCharacter: 'URLs cannot include the symbols < or >',
       },
     },
   },
@@ -896,6 +899,7 @@ const templateFormEmail = {
       error: {
         empty: enterATemplateMessage,
         max: templateMessageTooLong,
+        insecureLink: templateMessageHasInsecureLink,
       },
     },
   },
@@ -939,6 +943,7 @@ const templateFormSms = {
       error: {
         empty: enterATemplateMessage,
         max: templateMessageTooLong,
+        insecureLink: templateMessageHasInsecureLink,
       },
     },
   },

tests/test-team/template-mgmt-component-tests/email/template-mgmt-create-email-page.component.spec.ts

@@ -338,5 +338,38 @@ test.describe('Create Email message template Page', () => {
 
       await expect(createEmailTemplatePage.messageTextArea).toBeFocused();
     });
+
+    test('when user submits form with an http link, then an error is displayed', async ({
+      page,
+    }) => {
+      const errorMessage = 'URLs must start with https://';
+
+      const createEmailTemplatePage = new TemplateMgmtCreateEmailPage(page);
+
+      await createEmailTemplatePage.loadPage();
+
+      await createEmailTemplatePage.nameInput.fill('template-name');
+
+      await createEmailTemplatePage.subjectLineInput.fill(
+        'template-subject-line'
+      );
+
+      await createEmailTemplatePage.messageTextArea.fill(
+        'http://www.example.com'
+      );
+
+      await createEmailTemplatePage.clickSaveAndPreviewButton();
+
+      const emailMessageErrorLink =
+        createEmailTemplatePage.errorSummary.locator(
+          '[href="#emailTemplateMessage"]'
+        );
+
+      await expect(emailMessageErrorLink).toHaveText(errorMessage);
+
+      await emailMessageErrorLink.click();
+
+      await expect(createEmailTemplatePage.messageTextArea).toBeFocused();
+    });
   });
 });

tests/test-team/template-mgmt-component-tests/email/template-mgmt-edit-email-page.component.spec.ts

@@ -419,5 +419,38 @@ test.describe('Edit Email message template Page', () => {
 
       await expect(editEmailTemplatePage.messageTextArea).toBeFocused();
     });
+
+    test('when user submits form with an http link, then an error is displayed', async ({
+      page,
+    }) => {
+      const errorMessage = 'URLs must start with https://';
+
+      const createEmailTemplatePage = new TemplateMgmtEditEmailPage(page);
+
+      await createEmailTemplatePage.loadPage(templates.valid.id);
+
+      await createEmailTemplatePage.nameInput.fill('template-name');
+
+      await createEmailTemplatePage.subjectLineInput.fill(
+        'template-subject-line'
+      );
+
+      await createEmailTemplatePage.messageTextArea.fill(
+        'http://www.example.com'
+      );
+
+      await createEmailTemplatePage.clickSaveAndPreviewButton();
+
+      const emailMessageErrorLink =
+        createEmailTemplatePage.errorSummary.locator(
+          '[href="#emailTemplateMessage"]'
+        );
+
+      await expect(emailMessageErrorLink).toHaveText(errorMessage);
+
+      await emailMessageErrorLink.click();
+
+      await expect(createEmailTemplatePage.messageTextArea).toBeFocused();
+    });
   });
 });

tests/test-team/template-mgmt-component-tests/nhs-app/template-mgmt-create-nhs-app-template-page.component.spec.ts

@@ -156,6 +156,48 @@ test.describe('Create NHS App Template Page', () => {
     expect(messageContent).toHaveLength(5000);
   });
 
+  test('Validate error messages on the create NHS App message template page with http url in message', async ({
+    page,
+  }) => {
+    const createTemplatePage = new TemplateMgmtCreateNhsAppPage(page);
+
+    await createTemplatePage.loadPage();
+    await expect(createTemplatePage.pageHeading).toHaveText(
+      'Create NHS App message template'
+    );
+    await page.locator('[id="nhsAppTemplateName"]').fill('template-name');
+    await page
+      .locator('[id="nhsAppTemplateMessage"]')
+      .fill('http://www.example.com');
+    await createTemplatePage.clickSaveAndPreviewButton();
+    await expect(page.locator('.nhsuk-error-summary')).toBeVisible();
+
+    await expect(
+      page.locator('ul[class="nhsuk-list nhsuk-error-summary__list"] > li')
+    ).toHaveText(['URLs must start with https://']);
+  });
+
+  test('Validate error messages on the create NHS App message template page with angle brackets in linked url', async ({
+    page,
+  }) => {
+    const createTemplatePage = new TemplateMgmtCreateNhsAppPage(page);
+
+    await createTemplatePage.loadPage();
+    await expect(createTemplatePage.pageHeading).toHaveText(
+      'Create NHS App message template'
+    );
+    await page.locator('[id="nhsAppTemplateName"]').fill('template-name');
+    await page
+      .locator('[id="nhsAppTemplateMessage"]')
+      .fill('[example](https://www.example.com/<>)');
+    await createTemplatePage.clickSaveAndPreviewButton();
+    await expect(page.locator('.nhsuk-error-summary')).toBeVisible();
+
+    await expect(
+      page.locator('ul[class="nhsuk-list nhsuk-error-summary__list"] > li')
+    ).toHaveText(['URLs cannot include the symbols < or >']);
+  });
+
   const detailsSections = [
     'pds-personalisation-fields',
     'custom-personalisation-fields',