dd270bca9e
Targeted fixes for issues raised by code review on commit 37639a7
(B-2.3 DictIA email rebrand). All fixes verified against the Windows
manual driver: 16/16 tests pass (12 pre-existing + 4 new regression).
Critical:
- C1 Stored XSS in transactional emails: user.name (validated only on
Length(max=49), no character class) was rendered raw into the f-string
HTML body of verification + reset emails. Added html.escape on the
HTML branch; text body keeps the raw string (no XSS surface). Also
hardened the fallback chain to ((name or '').strip() or username or
'utilisateur').strip() so a None/whitespace name never produces
'Bonjour ,'.
- C2 Reflected XSS in templates/auth/check_email.html: the email value
from request.form was concatenated with literal '<strong>' tags then
fed through | safe, defeating Jinja's autoescape. Split the string so
template-author HTML stays literal and {{ email }} is autoescaped.
Used   for NBSP instead of '1 heure' | safe (more readable).
Important:
- I1 Dropped {{ message | safe }} on flash blocks in
forgot_password.html and reset_password.html (matches check_email.html).
No XSS today (flashes are static literals) but removes the landmine.
- I2 Password reset token replay: URLSafeTimedSerializer is stateless,
so the same valid link could be clicked twice within the 1h window.
Added a check that user.password_reset_token == token after the user
lookup — runs before BOTH GET (form render) and POST (password update).
The existing 'user.password_reset_token = None' on success now
actually invalidates the token.
- I5 MIMEText defaults to us-ascii, which Q-encodes accented French
characters and produces mojibake in some clients. Added explicit
'utf-8' charset on both text and html parts in _send_email.
New regression tests (tests/test_email_service_dictia.py):
- test_verification_email_falls_back_when_name_is_whitespace (I4)
- test_verification_email_handles_unicode_name (I5)
- test_verification_email_escapes_html_in_user_name (C1)
- test_check_email_template_escapes_email_in_response (C2)
Out of scope (per review): M1 (already addressed via solid-color
fallback), M2 (datetime.utcnow — pre-existing, separate cleanup),
M3 (Windows test driver — documented in tests file docstring),
M4-M6 (deferred).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
62 lines
3.3 KiB
HTML
62 lines
3.3 KiB
HTML
{% extends 'marketing/base.html' %}
|
|
|
|
{% block title %}{% if action == 'password_reset' %}Vérifiez votre courriel — DictIA{% else %}Confirmez votre courriel — DictIA{% endif %}{% endblock %}
|
|
{% block description %}Un courriel vous a été envoyé. Suivez le lien pour activer votre compte DictIA.{% endblock %}
|
|
|
|
{% block content %}
|
|
<section class="min-h-[calc(100vh-62px)] bg-brand-bg py-16 px-4" aria-labelledby="check-email-title">
|
|
<div class="max-w-md mx-auto bg-white p-8 rounded-[18px] border border-brand-border shadow-cta text-center">
|
|
<div class="mx-auto mb-6 w-16 h-16 rounded-full grad-bg flex items-center justify-center text-white text-2xl" aria-hidden="true">✉</div>
|
|
|
|
<h1 id="check-email-title" class="text-2xl font-black text-brand-navy mb-2">
|
|
{% if action == 'password_reset' %}Vérifiez votre courriel
|
|
{% elif action == 'verification_required' %}Vérification requise
|
|
{% else %}Confirmez votre courriel{% endif %}
|
|
</h1>
|
|
|
|
<p class="text-sm text-brand-navy/70 mb-6">
|
|
{% if action == 'password_reset' %}
|
|
Si un compte DictIA existe pour <strong>{{ email }}</strong>, vous recevrez un courriel avec un lien pour réinitialiser votre mot de passe. Le lien expire dans 1 heure.
|
|
{% elif action == 'verification_required' %}
|
|
Vérifiez votre boîte de réception à <strong>{{ email }}</strong>. Si vous ne recevez rien, demandez un nouveau courriel ci-dessous.
|
|
{% else %}
|
|
Nous avons envoyé un lien de vérification à <strong>{{ email }}</strong>. Cliquez dessus pour activer votre compte. Le lien expire dans 24 heures.
|
|
{% endif %}
|
|
</p>
|
|
|
|
{% with messages = get_flashed_messages(with_categories=true) %}
|
|
{% if messages %}
|
|
{% for category, message in messages %}
|
|
<div role="alert" class="mb-3 p-3 rounded-lg text-sm
|
|
{% if category == 'danger' %}bg-red-50 text-red-900 border border-red-200
|
|
{% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
|
|
{% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
|
|
{% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
|
|
{{ message }}
|
|
</div>
|
|
{% endfor %}
|
|
{% endif %}
|
|
{% endwith %}
|
|
|
|
{% if show_resend and action != 'password_reset' %}
|
|
<form method="POST" action="{{ url_for('auth.resend_verification') }}" class="mb-4">
|
|
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
|
|
<input type="hidden" name="email" value="{{ email }}">
|
|
<button type="submit" class="w-full grad-bg text-white font-semibold py-3 rounded-[0.75rem] shadow-cta hover:shadow-cta-hover transition focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
|
|
Renvoyer le lien de vérification
|
|
</button>
|
|
</form>
|
|
{% endif %}
|
|
|
|
<p class="text-xs text-brand-navy/70 mt-4">
|
|
Vous ne recevez rien ? Vérifiez vos pourriels (spam) ou
|
|
<a href="mailto:info@dictia.ca" class="grad-text font-semibold">contactez le support</a>.
|
|
</p>
|
|
|
|
<p class="mt-6 text-sm">
|
|
<a href="{{ url_for('auth.login') }}" class="grad-text font-semibold">← Retour à la connexion</a>
|
|
</p>
|
|
</div>
|
|
</section>
|
|
{% endblock %}
|