CCM-12065: Url validation

ClareJonesBJSS · ClareJonesBJSS · commit 4d103783afaa · 2025-09-22T11:14:40.000+01:00
diff --git a/frontend/src/__tests__/components/forms/EmailTemplateForm/server-action.test.ts b/frontend/src/__tests__/components/forms/EmailTemplateForm/server-action.test.ts
@@ -68,6 +68,30 @@ describe('CreateEmailTemplate server actions', () => {
     });
   });
 
+  it('create-email-template - should return response when when template message contains insecure url', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-email-template',
+        emailTemplateName: 'template-name',
+        emailTemplateSubjectLine: 'template-subject-line',
+        emailTemplateMessage: '**a message linking to http://www.example.com**',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          emailTemplateMessage: [
+            'The message includes an insecure http:// link. All links must use https://',
+          ],
+        },
+      },
+    });
+  });
+
   test('should save the template and redirect', async () => {
     saveTemplateMock.mockResolvedValue({
       ...initialState,
diff --git a/frontend/src/__tests__/components/forms/NhsAppTemplateForm/server-action.test.ts b/frontend/src/__tests__/components/forms/NhsAppTemplateForm/server-action.test.ts
@@ -71,6 +71,54 @@ describe('CreateNHSAppTemplate server actions', () => {
     });
   });
 
+  it('create-nhs-app-template - should return response when when template message contains insecure url', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-nhs-app-template',
+        nhsAppTemplateName: 'template-name',
+        nhsAppTemplateMessage:
+          '**a message linking to http://www.example.com**',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          nhsAppTemplateMessage: [
+            'The message includes an insecure http:// link. All links must use https://',
+          ],
+        },
+      },
+    });
+  });
+
+  it('create-nhs-app-template - should return response when when template message contains link with angle brackets', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-nhs-app-template',
+        nhsAppTemplateName: 'template-name',
+        nhsAppTemplateMessage:
+          '**a message linking to [example.com](https://www.example.com/withparams?param1=<>)**',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          nhsAppTemplateMessage: [
+            'The message includes a link that contains an angle bracket character. They must be removed or URL encoded',
+          ],
+        },
+      },
+    });
+  });
+
   test('should save the template and redirect', async () => {
     saveTemplateMock.mockResolvedValue({
       ...savedState,
@@ -98,6 +146,36 @@ describe('CreateNHSAppTemplate server actions', () => {
     );
   });
 
+  test('should save a template that contains a url with angle brackets, if they are url encoded', async () => {
+    saveTemplateMock.mockResolvedValue({
+      ...savedState,
+      name: 'template-name',
+      message:
+        '**a message linking to [example.com](https://www.example.com/withparams?param1=%3C%3E)**',
+    });
+
+    await processFormActions(
+      savedState,
+      getMockFormData({
+        nhsAppTemplateName: 'template-name',
+        nhsAppTemplateMessage:
+          '**a message linking to [example.com](https://www.example.com/withparams?param1=%3C%3E)**',
+      })
+    );
+
+    expect(saveTemplateMock).toHaveBeenCalledWith({
+      ...savedState,
+      name: 'template-name',
+      message:
+        '**a message linking to [example.com](https://www.example.com/withparams?param1=%3C%3E)**',
+    });
+
+    expect(redirectMock).toHaveBeenCalledWith(
+      `/preview-nhs-app-template/template-id?from=edit`,
+      'push'
+    );
+  });
+
   test('should create the template and redirect', async () => {
     createTemplateMock.mockResolvedValue(savedState);
 
diff --git a/frontend/src/__tests__/components/forms/SmsTemplateForm/server-action.test.ts b/frontend/src/__tests__/components/forms/SmsTemplateForm/server-action.test.ts
@@ -65,6 +65,30 @@ describe('CreateSmsTemplate server actions', () => {
     });
   });
 
+  it('create-sms-template - should return response when when template message contains insecure url', async () => {
+    const response = await processFormActions(
+      initialState,
+      getMockFormData({
+        'form-id': 'create-sms-template',
+        smsTemplateName: 'template-name',
+        smsTemplateMessage:
+          'a message linking to http://www.example.com with http',
+      })
+    );
+
+    expect(response).toEqual({
+      ...initialState,
+      errorState: {
+        formErrors: [],
+        fieldErrors: {
+          smsTemplateMessage: [
+            'The message includes an insecure http:// link. All links must use https://',
+          ],
+        },
+      },
+    });
+  });
+
   test('should save the template and redirect', async () => {
     saveTemplateMock.mockResolvedValue({
       ...initialState,
diff --git a/frontend/src/components/forms/EmailTemplateForm/server-action.ts b/frontend/src/components/forms/EmailTemplateForm/server-action.ts
@@ -27,6 +27,9 @@ export const $EmailTemplateFormSchema = z.object({
     .min(1, { message: form.emailTemplateMessage.error.empty })
     .max(MAX_EMAIL_CHARACTER_LENGTH, {
       message: form.emailTemplateMessage.error.max,
+    })
+    .refine((templateMessage) => !templateMessage.includes('http://'), {
+      message: form.emailTemplateMessage.error.insecureLink,
     }),
 });
 
diff --git a/frontend/src/components/forms/NhsAppTemplateForm/server-action.ts b/frontend/src/components/forms/NhsAppTemplateForm/server-action.ts
@@ -1,3 +1,4 @@
+import markdownit from 'markdown-it';
 import {
   TemplateFormState,
   NHSAppTemplate,
@@ -14,14 +15,41 @@ const {
   },
 } = content;
 
+const hasInvalidCharactersInLinks = (message: string): boolean => {
+  const md = markdownit();
+
+  const parsedMessage = md.parseInline(message, {});
+  // [] branch should be unreachable
+  /* istanbul ignore next */
+  const tokens = parsedMessage[0]?.children || [];
+
+  for (const token of tokens) {
+    if (token.type === 'link_open') {
+      const href = token.attrGet('href');
+      if (href && !message.includes(href)) {
+        // markdown-it url-encodes angle brackets during parsing, so the original url must have included them
+        return true;
+      }
+    }
+  }
+  return false;
+};
+
 export const $CreateNhsAppTemplateSchema = z.object({
   nhsAppTemplateName: z
     .string({ message: form.nhsAppTemplateName.error.empty })
     .min(1, { message: form.nhsAppTemplateName.error.empty }),
   nhsAppTemplateMessage: z
     .string({ message: form.nhsAppTemplateMessage.error.empty })
     .min(1, { message: form.nhsAppTemplateMessage.error.empty })
-    .max(5000, { message: form.nhsAppTemplateMessage.error.max }),
+    .max(5000, { message: form.nhsAppTemplateMessage.error.max })
+    .refine((templateMessage) => !templateMessage.includes('http://'), {
+      message: form.nhsAppTemplateMessage.error.insecureLink,
+    })
+    .refine(
+      (templateMessage) => !hasInvalidCharactersInLinks(templateMessage),
+      { message: form.nhsAppTemplateMessage.error.invalidUrlCharacter }
+    ),
 });
 
 export async function processFormActions(
diff --git a/frontend/src/components/forms/SmsTemplateForm/server-action.ts b/frontend/src/components/forms/SmsTemplateForm/server-action.ts
@@ -24,6 +24,9 @@ export const $CreateSmsTemplateSchema = z.object({
     .min(1, { message: form.smsTemplateMessage.error.empty })
     .max(MAX_SMS_CHARACTER_LENGTH, {
       message: form.smsTemplateMessage.error.max,
+    })
+    .refine((templateMessage) => !templateMessage.includes('http://'), {
+      message: form.smsTemplateMessage.error.insecureLink,
     }),
 });
 
diff --git a/frontend/src/content/content.ts b/frontend/src/content/content.ts
@@ -10,6 +10,8 @@ const goBackButtonText = 'Go back';
 const enterATemplateName = 'Enter a template name';
 const enterATemplateMessage = 'Enter a template message';
 const templateMessageTooLong = 'Template message too long';
+const templateMessageHasInsecureLink =
+  'The message includes an insecure http:// link. All links must use https://';
 const selectAnOption = 'Select an option';
 
 const header = {
@@ -791,6 +793,9 @@ const templateFormNhsApp = {
       error: {
         empty: enterATemplateMessage,
         max: templateMessageTooLong,
+        insecureLink: templateMessageHasInsecureLink,
+        invalidUrlCharacter:
+          'The message includes a link that contains an angle bracket character. They must be removed or URL encoded',
       },
     },
   },
@@ -886,6 +891,7 @@ const templateFormEmail = {
       error: {
         empty: enterATemplateMessage,
         max: templateMessageTooLong,
+        insecureLink: templateMessageHasInsecureLink,
       },
     },
   },
@@ -929,6 +935,7 @@ const templateFormSms = {
       error: {
         empty: enterATemplateMessage,
         max: templateMessageTooLong,
+        insecureLink: templateMessageHasInsecureLink,
       },
     },
   },
