Don’t populate support form with arbitrary text

I don’t think it’s a massive risk (we’re certainly mitigating against any XSS), but having a page on a GOV.UK domain where you can prefill text on the page from a query string probably isn’t great. So this commit restricts prefilling the support form to a set of named questions.
2026-05-05 16:38:59 -04:00 · 2018-03-20 10:41:58 +00:00
parent a6eeb3cd73
commit 64b5f03dcd
5 changed files with 62 additions and 8 deletions
--- a/app/main/views/feedback.py
+++ b/app/main/views/feedback.py
@@ -13,11 +13,26 @@ from app import (
 )
 from app.main import main
 from app.main.forms import Feedback, Problem, SupportType, Triage
+from app.utils import AgreementInfo

 QUESTION_TICKET_TYPE = 'ask-question-give-feedback'
 PROBLEM_TICKET_TYPE = "report-problem"


+def get_prefilled_message():
+    agreement_info = AgreementInfo.from_current_user()
+    return {
+        'agreement': (
+            agreement_info.as_request_for_agreement()
+        ),
+        'agreement-with-owner': (
+            agreement_info.as_request_for_agreement(with_owner=True)
+        ),
+    }.get(
+        request.args.get('body'), ''
+    )
+
+
@main.route('/feedback', methods=['GET'])
 def old_feedback():
    return redirect(url_for('.support'))
@@ -135,7 +150,7 @@ def feedback(ticket_type):
        return redirect(url_for('.thanks', urgent=urgent, anonymous=anonymous))

    if not form.feedback.data:
-        form.feedback.data = request.args.get('body', '')
+        form.feedback.data = get_prefilled_message()

    return render_template(
        'views/support/{}.html'.format(ticket_type),