Innova-AI/dictia-public
3
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
Files
dd270bca9eb6470f726ea6c9618952547b666ec7
dictia-public/templates/auth/reset_password.html
Allison dd270bca9e fix(auth): B-2.3 security review fixes — XSS escape + token replay 
Targeted fixes for issues raised by code review on commit 37639a7
(B-2.3 DictIA email rebrand). All fixes verified against the Windows
manual driver: 16/16 tests pass (12 pre-existing + 4 new regression).

Critical:
  - C1 Stored XSS in transactional emails: user.name (validated only on
    Length(max=49), no character class) was rendered raw into the f-string
    HTML body of verification + reset emails. Added html.escape on the
    HTML branch; text body keeps the raw string (no XSS surface). Also
    hardened the fallback chain to ((name or '').strip() or username or
    'utilisateur').strip() so a None/whitespace name never produces
    'Bonjour ,'.
  - C2 Reflected XSS in templates/auth/check_email.html: the email value
    from request.form was concatenated with literal '<strong>' tags then
    fed through | safe, defeating Jinja's autoescape. Split the string so
    template-author HTML stays literal and {{ email }} is autoescaped.
    Used &#160; for NBSP instead of '1&nbsp;heure' | safe (more readable).

Important:
  - I1 Dropped {{ message | safe }} on flash blocks in
    forgot_password.html and reset_password.html (matches check_email.html).
    No XSS today (flashes are static literals) but removes the landmine.
  - I2 Password reset token replay: URLSafeTimedSerializer is stateless,
    so the same valid link could be clicked twice within the 1h window.
    Added a check that user.password_reset_token == token after the user
    lookup — runs before BOTH GET (form render) and POST (password update).
    The existing 'user.password_reset_token = None' on success now
    actually invalidates the token.
  - I5 MIMEText defaults to us-ascii, which Q-encodes accented French
    characters and produces mojibake in some clients. Added explicit
    'utf-8' charset on both text and html parts in _send_email.

New regression tests (tests/test_email_service_dictia.py):
  - test_verification_email_falls_back_when_name_is_whitespace (I4)
  - test_verification_email_handles_unicode_name (I5)
  - test_verification_email_escapes_html_in_user_name (C1)
  - test_check_email_template_escapes_email_in_response (C2)

Out of scope (per review): M1 (already addressed via solid-color
fallback), M2 (datetime.utcnow — pre-existing, separate cleanup),
M3 (Windows test driver — documented in tests file docstring),
M4-M6 (deferred).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-27 23:14:11 -04:00

55 lines
3.3 KiB
HTML
Raw Blame History

{% extends 'marketing/base.html' %}
{% block title %}Nouveau mot de passe — DictIA{% endblock %}
{% block description %}Définissez un nouveau mot de passe pour votre compte DictIA. Lien sécurisé valide 1 heure.{% endblock %}
{% block content %}
<section class="min-h-[calc(100vh-62px)] bg-brand-bg py-16 px-4" aria-labelledby="reset-title">
<div class="max-w-md mx-auto bg-white p-8 rounded-[18px] border border-brand-border shadow-cta">
<h1 id="reset-title" class="text-3xl font-black text-brand-navy mb-2">Nouveau mot de passe</h1>
<p class="text-sm text-brand-navy/70 mb-6">Choisissez un mot de passe robuste pour sécuriser votre compte DictIA.</p>
{% with messages = get_flashed_messages(with_categories=true) %}
{% if messages %}
{% for category, message in messages %}
<div role="alert" class="mb-3 p-3 rounded-lg text-sm
{% if category == 'danger' %}bg-red-50 text-red-900 border border-red-200
{% elif category == 'warning' %}bg-amber-50 text-amber-900 border border-amber-200
{% elif category == 'success' %}bg-green-50 text-green-900 border border-green-200
{% else %}bg-blue-50 text-blue-900 border border-blue-200{% endif %}">
{{ message }}
</div>
{% endfor %}
{% endif %}
{% endwith %}
<form method="POST" action="{{ url_for('auth.reset_password', token=token) }}" class="space-y-4" novalidate>
<input type="hidden" name="csrf_token" value="{{ csrf_token() }}">
<div>
<label for="password" class="block text-sm font-medium text-brand-navy mb-1">Nouveau mot de passe <span class="text-red-600" aria-hidden="true">*</span></label>
<input type="password" id="password" name="password" autocomplete="new-password" minlength="8" required aria-required="true" aria-describedby="password-help"
class="w-full px-3 py-2 border border-brand-border rounded-[0.5rem] text-brand-navy focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2"
placeholder="••••••••">
<p id="password-help" class="text-xs text-brand-navy/70 mt-1">{{ "8&nbsp;caractères minimum, dont une majuscule, une minuscule, un chiffre et un caractère spécial." | safe }}</p>
</div>
<div>
<label for="confirm_password" class="block text-sm font-medium text-brand-navy mb-1">Confirmer le mot de passe <span class="text-red-600" aria-hidden="true">*</span></label>
<input type="password" id="confirm_password" name="confirm_password" autocomplete="new-password" minlength="8" required aria-required="true"
class="w-full px-3 py-2 border border-brand-border rounded-[0.5rem] text-brand-navy focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2"
placeholder="••••••••">
</div>
<button type="submit" class="w-full grad-bg text-white font-semibold py-3 rounded-[0.75rem] shadow-cta hover:shadow-cta-hover transition focus-visible:outline-2 focus-visible:outline-brand-b1 focus-visible:outline-offset-2">
Définir mon nouveau mot de passe
</button>
</form>
<p class="text-center text-sm text-brand-navy/70 mt-6">
<a href="{{ url_for('auth.login') }}" class="grad-text font-semibold">&larr; Retour à la connexion</a>
</p>
</div>
</section>
{% endblock %}
Reference in New Issue View Git Blame Copy Permalink