fix(auth): B-2.3 security review fixes — XSS escape + token replay

Targeted fixes for issues raised by code review on commit 37639a7 (B-2.3 DictIA email rebrand). All fixes verified against the Windows manual driver: 16/16 tests pass (12 pre-existing + 4 new regression). Critical: - C1 Stored XSS in transactional emails: user.name (validated only on Length(max=49), no character class) was rendered raw into the f-string HTML body of verification + reset emails. Added html.escape on the HTML branch; text body keeps the raw string (no XSS surface). Also hardened the fallback chain to ((name or '').strip() or username or 'utilisateur').strip() so a None/whitespace name never produces 'Bonjour ,'. - C2 Reflected XSS in templates/auth/check_email.html: the email value from request.form was concatenated with literal '<strong>' tags then fed through | safe, defeating Jinja's autoescape. Split the string so template-author HTML stays literal and {{ email }} is autoescaped. Used   for NBSP instead of '1 heure' | safe (more readable). Important: - I1 Dropped {{ message | safe }} on flash blocks in forgot_password.html and reset_password.html (matches check_email.html). No XSS today (flashes are static literals) but removes the landmine. - I2 Password reset token replay: URLSafeTimedSerializer is stateless, so the same valid link could be clicked twice within the 1h window. Added a check that user.password_reset_token == token after the user lookup — runs before BOTH GET (form render) and POST (password update). The existing 'user.password_reset_token = None' on success now actually invalidates the token. - I5 MIMEText defaults to us-ascii, which Q-encodes accented French characters and produces mojibake in some clients. Added explicit 'utf-8' charset on both text and html parts in _send_email. New regression tests (tests/test_email_service_dictia.py): - test_verification_email_falls_back_when_name_is_whitespace (I4) - test_verification_email_handles_unicode_name (I5) - test_verification_email_escapes_html_in_user_name (C1) - test_check_email_template_escapes_email_in_response (C2) Out of scope (per review): M1 (already addressed via solid-color fallback), M2 (datetime.utcnow — pre-existing, separate cleanup), M3 (Windows test driver — documented in tests file docstring), M4-M6 (deferred). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 23:14:11 -04:00
parent 37639a7d09
commit dd270bca9e
6 changed files with 143 additions and 17 deletions
--- a/templates/auth/check_email.html
+++ b/templates/auth/check_email.html
@@ -16,11 +16,11 @@

    <p class="text-sm text-brand-navy/70 mb-6">
      {% if action == 'password_reset' %}
-        {{ "Si un compte DictIA existe pour <strong>" ~ email ~ "</strong>, vous recevrez un courriel avec un lien pour réinitialiser votre mot de passe. Le lien expire dans 1&nbsp;heure." | safe }}
+        Si un compte DictIA existe pour <strong>{{ email }}</strong>, vous recevrez un courriel avec un lien pour réinitialiser votre mot de passe. Le lien expire dans 1&#160;heure.
      {% elif action == 'verification_required' %}
-        {{ "Vérifiez votre boîte de réception à <strong>" ~ email ~ "</strong>. Si vous ne recevez rien, demandez un nouveau courriel ci-dessous." | safe }}
+        Vérifiez votre boîte de réception à <strong>{{ email }}</strong>. Si vous ne recevez rien, demandez un nouveau courriel ci-dessous.
      {% else %}
-        {{ "Nous avons envoyé un lien de vérification à <strong>" ~ email ~ "</strong>. Cliquez dessus pour activer votre compte. Le lien expire dans 24&nbsp;heures." | safe }}
+        Nous avons envoyé un lien de vérification à <strong>{{ email }}</strong>. Cliquez dessus pour activer votre compte. Le lien expire dans 24&#160;heures.
      {% endif %}
    </p>

--- a/templates/auth/forgot_password.html
+++ b/templates/auth/forgot_password.html
@@ -17,7 +17,7 @@
            {% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
            {% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
            {% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
-            {{ message | safe }}
+            {{ message }}
          </div>
        {% endfor %}
      {% endif %}
--- a/templates/auth/reset_password.html
+++ b/templates/auth/reset_password.html
@@ -17,7 +17,7 @@
            {% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
            {% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
            {% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
-            {{ message | safe }}
+            {{ message }}
          </div>
        {% endfor %}
      {% endif %}