Merge pull request #2037 from alphagov/strip-obscure-whitespace

Strip obscure whitespace from form submissions

app/main/forms.py

@@ -1,3 +1,4 @@
+import string
 import weakref
 from datetime import datetime, timedelta
 from itertools import chain
@@ -40,6 +41,15 @@ from app.main.validators import (
     ValidGovEmail,
 )
 
+OBSCURE_WHITESPACE = (
+    '\u180E'  # Mongolian vowel separator
+    '\u200B'  # zero width space
+    '\u200C'  # zero width non-joiner
+    '\u200D'  # zero width joiner
+    '\u2060'  # word joiner
+    '\uFEFF'  # zero width non-breaking space
+)
+
 
 def get_time_value_and_label(future_time):
     return (
@@ -110,7 +120,7 @@ def email_address(label='Email address', gov_user=True):
 
 def strip_whitespace(value):
     if value is not None and hasattr(value, 'strip'):
-        return value.strip()
+        return value.strip(string.whitespace + OBSCURE_WHITESPACE)
     return value
 
 

tests/app/main/test_strip_whitespace_form.py

@@ -0,0 +1,32 @@
+import pytest
+from wtforms import Form, StringField
+
+from app.main.forms import StripWhitespaceForm, StripWhitespaceStringField
+
+
+class ExampleForm(StripWhitespaceForm):
+    foo = StringField('Foo')
+
+
+class ExampleFormSpecialField(Form):
+    foo = StripWhitespaceStringField('foo')
+
+
+@pytest.mark.parametrize('submitted_data', [
+    'bar',
+    ' bar ',
+    """
+        \t    bar
+    """,
+    ' \u180E\u200B \u200C bar \u200D \u2060\uFEFF ',
+])
+@pytest.mark.parametrize('form', [
+    ExampleForm,
+    ExampleFormSpecialField,
+])
+def test_form_strips_all_whitespace(
+    app_,
+    form,
+    submitted_data,
+):
+    assert form(foo=submitted_data).foo.data == 'bar'