prevent including email address in report title

If autofill on Chrome is turned on and has saved the user's login it can autofill the user's email address in the report title, so add validation to make sure the title does not look like an email. Fixes #2570
author: Struan Donald <struan@exo.org.uk> 2019-07-29 17:30:56 +0100
committer: Struan Donald <struan@exo.org.uk> 2019-08-02 09:38:05 +0100
commit: 6dc425da8743d68a10edc778dc36593e9b754ed8 (patch)
tree: f912f3289c0ab3213d72fc775020c944b7efa5ad
parent: c21d5b650fcd7e5b745461628b5eb48c1f22ac23 (diff)
5 files changed, 31 insertions, 2 deletions
diff --git a/perllib/FixMyStreet/DB/Result/Problem.pm b/perllib/FixMyStreet/DB/Result/Problem.pm
index c1608b35d..09c6cb06d 100644
--- a/perllib/FixMyStreet/DB/Result/Problem.pm
+++ b/perllib/FixMyStreet/DB/Result/Problem.pm
@@ -362,6 +362,9 @@ sub check_for_errors {
     $errors{title} = _('Please enter a subject')
       unless $self->title =~ m/\S/;
 
+    $errors{title} = _('Please make sure you are not including an email address')
+        if mySociety::EmailUtil::is_valid_email($self->title);
+
     $errors{detail} = _('Please enter some details')
       unless $self->detail =~ m/\S/;
 
diff --git a/t/app/controller/report_new.t b/t/app/controller/report_new.t
index e824eb143..417d91ef9 100644
--- a/t/app/controller/report_new.t
+++ b/t/app/controller/report_new.t
@@ -519,6 +519,29 @@ foreach my $test (
         errors => [ "Please enter a subject" ],
     },
     {
+        msg    => 'email in title',
+        pc     => 'SW1A 1AA',
+        fields => {
+            title         => 'user@example.com',
+            detail        => 'Test detail',
+            photo1        => '',
+            photo2        => '',
+            photo3        => '',
+            name          => 'Joe Smith',
+            may_show_name => '1',
+            username      => 'user@example.com',
+            phone         => '',
+            category      => 'Street lighting',
+            password_sign_in => '',
+            password_register => '',
+        },
+        changes => {
+            username => 'user@example.com',
+            title => 'User@example.com'
+        },
+        errors  => [ 'Please make sure you are not including an email address', ],
+    },
+    {
         msg    => 'Bromley long detail',
         pc     => 'BR1 3UH',
         fields => {
diff --git a/templates/web/base/js/translation_strings.html b/templates/web/base/js/translation_strings.html
index 0210aff84..21591203d 100644
--- a/templates/web/base/js/translation_strings.html
+++ b/templates/web/base/js/translation_strings.html
@@ -7,7 +7,8 @@ fixmystreet.password_minimum_length = [% c.cobrand.password_minimum_length %];
         error: '[% loc('Error') | replace("'", "\\'") %]',
         title: {
             required: '[% loc('Please enter a subject') | replace("'", "\\'") %]',
-            maxlength: '[% loc('Summaries are limited to {0} characters in length. Please shorten your summary') | replace("'", "\\'") %]'
+            maxlength: '[% loc('Summaries are limited to {0} characters in length. Please shorten your summary') | replace("'", "\\'") %]',
+            notEmail: '[% loc('Please make sure you are not including an email address') %]'
         },
         detail: {
             required: '[% loc('Please enter some details') | replace("'", "\\'") %]',
diff --git a/web/cobrands/fixmystreet/fixmystreet.js b/web/cobrands/fixmystreet/fixmystreet.js
index 8a300085b..c952236d4 100644
--- a/web/cobrands/fixmystreet/fixmystreet.js
+++ b/web/cobrands/fixmystreet/fixmystreet.js
@@ -294,6 +294,8 @@ $.extend(fixmystreet.set_up, {
         jQuery.validator.addMethod('js-password-validate', function(value, element) {
             return !value || value.length >= fixmystreet.password_minimum_length;
         }, translation_strings.password_register.short);
+        jQuery.validator.addMethod('notEmail', function(value, element) {
+            return this.optional(element) || !/^[a-zA-Z0-9.!#$%&'*+\/=?^_`{|}~-]+@(?:\S{1,63})$/.test( value ); }, translation_strings.title );
     }
 
     var submitted = false;
diff --git a/web/js/validation_rules.js b/web/js/validation_rules.js
index 3e7b010f2..9044def73 100644
--- a/web/js/validation_rules.js
+++ b/web/js/validation_rules.js
@@ -1,5 +1,5 @@
     core_validation_rules = {
-        title: { required: true },
+        title: { required: true, notEmail: true },
         detail: { required: true },
         update: { required: true },
         password_register: {
author	Struan Donald <struan@exo.org.uk>	2019-07-29 17:30:56 +0100
committer	Struan Donald <struan@exo.org.uk>	2019-08-02 09:38:05 +0100
commit	6dc425da8743d68a10edc778dc36593e9b754ed8 (patch)
tree	f912f3289c0ab3213d72fc775020c944b7efa5ad
parent	c21d5b650fcd7e5b745461628b5eb48c1f22ac23 (diff)