SECURITY: Cross-Site Scripting in Category and Group Settings

spec/models/category_spec.rb

@@ -309,7 +309,7 @@ describe Category do
     it "renames the definition when renamed" do
       @category.update_attributes(name: 'Troutfishing')
       @topic.reload
-      expect(@topic.title).to match /Troutfishing/
+      expect(@topic.title).to match(/Troutfishing/)
     end
 
     it "doesn't raise an error if there is no definition topic to rename (uncategorized)" do
@@ -617,4 +617,38 @@ describe Category do
     end
   end
 
+  describe "validate email_in" do
+    let(:user) { Fabricate(:user) }
+
+    it "works with a valid email" do
+      expect(Category.new(name: 'test', user: user, email_in: 'test@example.com').valid?).to eq(true)
+    end
+
+    it "adds an error with an invalid email" do
+      category = Category.new(name: 'test', user: user, email_in: '<sup>test</sup>')
+      expect(category.valid?).to eq(false)
+      expect(category.errors.full_messages.join).not_to match(/<sup>/)
+    end
+
+    context "with a duplicate email in a group" do
+      let(:group) { Fabricate(:group, name: 'testgroup', incoming_email: 'test@example.com') }
+
+      it "adds an error with an invalid email" do
+        category = Category.new(name: 'test', user: user, email_in: group.incoming_email)
+        expect(category.valid?).to eq(false)
+      end
+    end
+
+    context "with duplicate email in a category" do
+      let!(:category) { Fabricate(:category, user: user, name: '<b>cool</b>', email_in: 'test@example.com') }
+
+      it "adds an error with an invalid email" do
+        category = Category.new(name: 'test', user: user, email_in: "test@example.com")
+        expect(category.valid?).to eq(false)
+        expect(category.errors.full_messages.join).not_to match(/<b>/)
+      end
+    end
+
+  end
+
 end