BC-10857 - Add validation for invalid characters in file name inputs (#3971)

bischofmax · web-flow · commit 4534b663dab1 · 2025-11-24T09:59:50.000+01:00
diff --git a/src/locales/de.ts b/src/locales/de.ts
@@ -1997,4 +1997,5 @@ export default {
 	"pages.folder.delete-multiple-confirmation": "Alle {total} Dateien wirklich löschen?",
 	"pages.folder.delete-confirmation": "Datei {name} wirklich löschen?",
 	"pages.folder.rename-file-dialog.validation.duplicate-file-name": "Der Dateiname existiert bereits.",
+	"pages.folder.rename-file-dialog.validation.invalid-characters": "Der Dateiname enthält ungültige Zeichen.",
 };
diff --git a/src/locales/en.ts b/src/locales/en.ts
@@ -1963,4 +1963,5 @@ export default {
 	"pages.folder.delete-multiple-confirmation": "Delete all {total} files?",
 	"pages.folder.delete-confirmation": "Do you really want to delete file {name}?",
 	"pages.folder.rename-file-dialog.validation.duplicate-file-name": "The file name already exists.",
+	"pages.folder.rename-file-dialog.validation.invalid-characters": "The file name contains invalid characters.",
 };
diff --git a/src/locales/es.ts b/src/locales/es.ts
@@ -2014,4 +2014,6 @@ export default {
 	"pages.folder.delete-multiple-confirmation": "¿Borrar realmente todos los archivos {total}?",
 	"pages.folder.delete-confirmation": "¿Borrar realmente el archivo {name}?",
 	"pages.folder.rename-file-dialog.validation.duplicate-file-name": "El nombre del archivo ya existe.",
+	"pages.folder.rename-file-dialog.validation.invalid-characters":
+		"El nombre del archivo contiene caracteres no válidos.",
 };
diff --git a/src/locales/uk.ts b/src/locales/uk.ts
@@ -1984,4 +1984,5 @@ export default {
 	"pages.folder.delete-multiple-confirmation": "Дійсно видалити всі {total} файли?",
 	"pages.folder.delete-confirmation": "Дійсно видалити файл {name}?",
 	"pages.folder.rename-file-dialog.validation.duplicate-file-name": "Ім'я файлу вже існує.",
+	"pages.folder.rename-file-dialog.validation.invalid-characters": "Ім'я файлу містить недопустимі символи.",
 };
diff --git a/src/modules/feature/board-file-element/content/inputs/file-name/FileName.unit.ts b/src/modules/feature/board-file-element/content/inputs/file-name/FileName.unit.ts
@@ -64,6 +64,32 @@ describe("FileName", () => {
 		});
 	});
 
+	describe("when a value containing / is entered", () => {
+		it("should display an error message", async () => {
+			const { wrapper } = mountSetup();
+
+			const textField = wrapper.findComponent(VTextField);
+			const input = textField.find("input[type='text']");
+			await input.setValue("invalid/name");
+			await nextTick();
+
+			expect(textField.text()).toContain(
+				wrapper.vm.$t("pages.folder.rename-file-dialog.validation.invalid-characters")
+			);
+		});
+
+		it("should not emit update:name", async () => {
+			const { wrapper } = mountSetup();
+
+			const textField = wrapper.findComponent(VTextField);
+			const newFileName = "my/NewImage";
+			await textField.setValue(newFileName);
+			await nextTick();
+
+			expect(wrapper.emitted("update:name")).toBeUndefined();
+		});
+	});
+
 	describe("when an empty value is entered", () => {
 		it("should not emit update:name", async () => {
 			const { wrapper } = mountSetup();
diff --git a/src/modules/feature/board-file-element/content/inputs/file-name/FileName.vue b/src/modules/feature/board-file-element/content/inputs/file-name/FileName.vue
@@ -3,15 +3,15 @@
 		v-model="nameRef"
 		data-testid="file-name-input"
 		:label="t('common.labels.fileName')"
-		:rules="[rules.isRequired, rules.validateOnOpeningTag]"
+		:rules="[rules.isRequired, rules.validateOnOpeningTag, rules.invalidCharacters]"
 		@click.stop
 		@keydown.enter.stop
 	/>
 </template>
 
 <script setup lang="ts">
 import { getFileExtension, removeFileExtension } from "@/utils/fileHelper";
-import { isRequired, useOpeningTagValidator } from "@util-validators";
+import { isRequired, useInvalidCharactersValidator, useOpeningTagValidator } from "@util-validators";
 import { computed, ref, watch } from "vue";
 import { useI18n } from "vue-i18n";
 
@@ -24,6 +24,7 @@ const props = withDefaults(defineProps<Props>(), {
 });
 
 const { validateOnOpeningTag } = useOpeningTagValidator();
+const { validateInvalidCharacters } = useInvalidCharactersValidator();
 
 const emit = defineEmits<{
 	(e: "update:name", name: string): void;
@@ -50,6 +51,7 @@ const rules = {
 		return validateOnOpeningTag(nameWithExtension);
 	},
 	isRequired: (value: string) => isRequired(t("common.validation.required"))(value),
+	invalidCharacters: (value: string) => validateInvalidCharacters(value, ["/"]),
 };
 
 const addFileExtension = (name: string) => {
@@ -66,7 +68,10 @@ const updateName = (value: string) => {
 watch(nameRef, (newValue) => {
 	const nameWithExtension = addFileExtension(newValue);
 
-	const isNameValid = rules.validateOnOpeningTag(nameWithExtension) === true && rules.isRequired(newValue) === true;
+	const isNameValid =
+		rules.validateOnOpeningTag(nameWithExtension) === true &&
+		rules.isRequired(newValue) === true &&
+		rules.invalidCharacters(newValue) === true;
 
 	if (isNameValid) {
 		updateName(nameWithExtension);
diff --git a/src/modules/feature/board/shared/AddCollaboraFileDialog.unit.ts b/src/modules/feature/board/shared/AddCollaboraFileDialog.unit.ts
@@ -76,6 +76,13 @@ describe("CollaboraFileDialog", () => {
 			expect(wrapper.findComponent(VForm).isVisible()).toBe(true);
 		});
 
+		it("should have confirm button disabled initially", async () => {
+			const { wrapper } = await setup();
+
+			const dialog = wrapper.findComponent(Dialog);
+			expect(dialog.props("confirmBtnDisabled")).toBe(true);
+		});
+
 		it("should render options", async () => {
 			const { collaboraFileSelectionOptions, wrapper } = await setup();
 
@@ -106,6 +113,24 @@ describe("CollaboraFileDialog", () => {
 				expect(selectOption.action).toHaveBeenCalled();
 				expect(selectOption.action).toHaveBeenCalledWith(FILENAME, "");
 			});
+
+			it("should have confirm button enabled", async () => {
+				const { collaboraFileSelectionOptions, wrapper } = await setup();
+
+				const selectOption = collaboraFileSelectionOptions[0];
+				const FILENAME = "myDocument";
+
+				const typeSelect = wrapper.findComponent(VSelect);
+				typeSelect.vm.$emit("update:modelValue", selectOption.id);
+				await nextTick();
+
+				const fileNameInput = wrapper.findComponent("[data-testid='collabora-element-form-filename']");
+				await fileNameInput.find("input").setValue(FILENAME);
+				await nextTick();
+
+				const dialog = wrapper.findComponent(Dialog);
+				expect(dialog.props("confirmBtnDisabled")).toBe(false);
+			});
 		});
 
 		describe("when filetype is not selected", () => {
@@ -123,6 +148,17 @@ describe("CollaboraFileDialog", () => {
 				await flushPromises();
 				expect(selectOption.action).toHaveBeenCalledTimes(0);
 			});
+
+			it("should have confirm button disabled", async () => {
+				const { wrapper } = await setup();
+
+				const fileNameInput = wrapper.findComponent("[data-testid='collabora-element-form-filename']");
+				await fileNameInput.find("input").setValue("myDocument");
+				await nextTick();
+
+				const dialog = wrapper.findComponent(Dialog);
+				expect(dialog.props("confirmBtnDisabled")).toBe(true);
+			});
 		});
 
 		describe("when filename is empty", () => {
@@ -145,6 +181,61 @@ describe("CollaboraFileDialog", () => {
 				await flushPromises();
 				expect(selectOption.action).toHaveBeenCalledTimes(0);
 			});
+
+			it("should have confirm button disabled", async () => {
+				const { collaboraFileSelectionOptions, wrapper } = await setup();
+
+				const selectOption = collaboraFileSelectionOptions[0];
+
+				const typeSelect = wrapper.findComponent(VSelect);
+				typeSelect.vm.$emit("update:modelValue", selectOption.id);
+				await nextTick();
+
+				const dialog = wrapper.findComponent(Dialog);
+				expect(dialog.props("confirmBtnDisabled")).toBe(true);
+			});
+		});
+
+		describe("when filename contains invalid characters", () => {
+			it("should have confirm button disabled", async () => {
+				const { collaboraFileSelectionOptions, wrapper } = await setup();
+
+				const selectOption = collaboraFileSelectionOptions[0];
+
+				const typeSelect = wrapper.findComponent(VSelect);
+				typeSelect.vm.$emit("update:modelValue", selectOption.id);
+				await nextTick();
+
+				const fileNameInput = wrapper.findComponent("[data-testid='collabora-element-form-filename']");
+				await fileNameInput.find("input").setValue("invalid/filename");
+				await nextTick();
+
+				const dialog = wrapper.findComponent(Dialog);
+				expect(dialog.props("confirmBtnDisabled")).toBe(true);
+			});
+		});
+
+		describe("when caption contains opening tag", () => {
+			it("should have confirm button disabled", async () => {
+				const { collaboraFileSelectionOptions, wrapper } = await setup();
+
+				const selectOption = collaboraFileSelectionOptions[0];
+
+				const typeSelect = wrapper.findComponent(VSelect);
+				typeSelect.vm.$emit("update:modelValue", selectOption.id);
+				await nextTick();
+
+				const fileNameInput = wrapper.findComponent("[data-testid='collabora-element-form-filename']");
+				await fileNameInput.find("input").setValue("validFilename");
+				await nextTick();
+
+				const captionInput = wrapper.findComponent("[data-testid='collabora-element-form-caption']");
+				await captionInput.find("textarea").setValue("<script>alert('xss')</script>");
+				await nextTick();
+
+				const dialog = wrapper.findComponent(Dialog);
+				expect(dialog.props("confirmBtnDisabled")).toBe(true);
+			});
 		});
 
 		it("should close modal on close button click", async () => {
diff --git a/src/modules/feature/board/shared/AddCollaboraFileDialog.vue b/src/modules/feature/board/shared/AddCollaboraFileDialog.vue
@@ -2,6 +2,7 @@
 	<Dialog
 		v-model:is-dialog-open="isCollaboraFileDialogOpen"
 		:message="t('components.elementTypeSelection.elements.collabora.subtitle')"
+		:confirm-btn-disabled="!isFormValid"
 		confirm-btn-lang-key="common.actions.create"
 		data-testid="collabora-element-dialog"
 		@cancel="onCancel"
@@ -43,8 +44,8 @@
 <script setup lang="ts">
 import { useAddCollaboraFile } from "./add-collabora-file.composable";
 import { Dialog } from "@ui-dialog";
-import { isRequired, useOpeningTagValidator } from "@util-validators";
-import { ref } from "vue";
+import { isRequired, useInvalidCharactersValidator, useOpeningTagValidator } from "@util-validators";
+import { computed, ref } from "vue";
 import { useI18n } from "vue-i18n";
 
 type VuetifyForm = {
@@ -53,6 +54,7 @@ type VuetifyForm = {
 
 const { isCollaboraFileDialogOpen, closeCollaboraFileDialog, collaboraFileSelectionOptions } = useAddCollaboraFile();
 const { validateOnOpeningTag } = useOpeningTagValidator();
+const { validateInvalidCharacters } = useInvalidCharactersValidator();
 
 const { t } = useI18n();
 
@@ -63,9 +65,28 @@ const fileName = ref<string>("");
 const caption = ref<string>("");
 
 const docTypeRules = [isRequired(t("common.validation.required2"))];
-const fileNameRules = [(value: string) => validateOnOpeningTag(value), isRequired(t("common.validation.required2"))];
+const fileNameRules = [
+	(value: string) => validateOnOpeningTag(value),
+	isRequired(t("common.validation.required2")),
+	(value: string) => validateInvalidCharacters(value, ["/"]),
+];
 const captionRules = [(value: string) => validateOnOpeningTag(value)];
 
+const passesAllRules = (value: string, rules: ((value: string) => true | string)[]): boolean =>
+	rules.every((rule) => rule(value) === true);
+
+const isFormValid = computed(() => {
+	if (!selectedDocType.value) {
+		return false;
+	}
+
+	const isFileNameValid = passesAllRules(fileName.value, fileNameRules);
+	const isCaptionValid = passesAllRules(caption.value, captionRules);
+	const isFormValid = isFileNameValid && isCaptionValid;
+
+	return isFormValid;
+});
+
 const resetForm = () => {
 	selectedDocType.value = null;
 	fileName.value = "";
diff --git a/src/modules/feature/folder/file-table/RenameFileDialog.unit.ts b/src/modules/feature/folder/file-table/RenameFileDialog.unit.ts
@@ -156,4 +156,44 @@ describe("RenameFileDialog", () => {
 			expect(textField.text()).toContain("common.validation.containsOpeningTag");
 		});
 	});
+
+	describe("when a value contains a /", () => {
+		const setup = () => {
+			const wrapper = mount(RenameFileDialog, {
+				props: {
+					isDialogOpen: true,
+					fileRecords: [],
+				},
+				global: {
+					plugins: [createTestingVuetify(), createTestingI18n()],
+					stubs: { UseFocusTrap: true },
+					renderStubDefaultSlot: true, // to access content inside focus trap
+				},
+			});
+			return { wrapper };
+		};
+
+		it("should display invalid characters error message", async () => {
+			const { wrapper } = setup();
+
+			const textField = wrapper.findComponent(VTextField);
+			const input = textField.find("input[type='text']");
+			await input.setValue("invalid/name");
+			await input.trigger("input");
+
+			expect(textField.text()).toContain("pages.folder.rename-file-dialog.validation.invalid-characters");
+		});
+
+		it("should disable confirm button", async () => {
+			const { wrapper } = setup();
+
+			const textField = wrapper.findComponent(VTextField);
+			const input = textField.find("input[type='text']");
+			await input.setValue("invalid/name");
+			await input.trigger("input");
+
+			const dialog = wrapper.findComponent(Dialog);
+			expect(dialog.props("confirmBtnDisabled")).toBe(true);
+		});
+	});
 });
diff --git a/src/modules/feature/folder/file-table/RenameFileDialog.vue b/src/modules/feature/folder/file-table/RenameFileDialog.vue
@@ -14,7 +14,7 @@
 				flat
 				:aria-label="$t('common.labels.name.new')"
 				:label="t('common.labels.name.new')"
-				:rules="[rules.required, rules.validateOnOpeningTag, rules.checkDuplicatedNames]"
+				:rules="[rules.required, rules.validateOnOpeningTag, rules.checkDuplicatedNames, rules.checkInvalidCharacters]"
 			/>
 		</template>
 	</Dialog>
@@ -24,7 +24,7 @@
 import { FileRecord } from "@/types/file/File";
 import { getFileExtension, removeFileExtension } from "@/utils/fileHelper";
 import { Dialog } from "@ui-dialog";
-import { useOpeningTagValidator } from "@util-validators";
+import { useInvalidCharactersValidator, useOpeningTagValidator } from "@util-validators";
 import { computed, PropType, reactive, ref, watch } from "vue";
 import { useI18n } from "vue-i18n";
 
@@ -59,6 +59,7 @@ watch(
 const { t } = useI18n();
 
 const { validateOnOpeningTag } = useOpeningTagValidator();
+const { validateInvalidCharacters } = useInvalidCharactersValidator();
 
 const rules = reactive({
 	required: (value: string) => !!value || t("common.validation.required"),
@@ -77,13 +78,15 @@ const rules = reactive({
 			t("pages.folder.rename-file-dialog.validation.duplicate-file-name")
 		);
 	},
+	checkInvalidCharacters: (value: string) => validateInvalidCharacters(value, ["/"]),
 });
 
 const isNameValid = computed(
 	() =>
 		rules.required(nameRef.value) === true &&
 		rules.validateOnOpeningTag(nameRef.value) === true &&
-		rules.checkDuplicatedNames(nameRef.value) === true
+		rules.checkDuplicatedNames(nameRef.value) === true &&
+		rules.checkInvalidCharacters(nameRef.value) === true
 );
 
 const onCancel = () => {
diff --git a/src/modules/util/validators/index.ts b/src/modules/util/validators/index.ts
@@ -1,3 +1,4 @@
+import { containsInvalidCharacters, useInvalidCharactersValidator } from "./invalidCharactersValidator";
 import { containsOpeningTagFollowedByString, useOpeningTagValidator } from "./openingTagValidator";
 import {
 	hasLowercaseLetter,
@@ -14,6 +15,7 @@ import {
 } from "./validators";
 
 export {
+	containsInvalidCharacters,
 	containsOpeningTagFollowedByString,
 	hasLowercaseLetter,
 	hasNumber,
@@ -26,5 +28,6 @@ export {
 	isValidDateFormat,
 	isValidTimeFormat,
 	isValidUrl,
+	useInvalidCharactersValidator,
 	useOpeningTagValidator,
 };
diff --git a/src/modules/util/validators/invalidCharactersValidator.ts b/src/modules/util/validators/invalidCharactersValidator.ts
diff --git a/src/modules/util/validators/invalidCharactersValidator.unit.ts b/src/modules/util/validators/invalidCharactersValidator.unit.ts
