Streams: Disallow certain markdown characters in stream names.

2025-11-06 23:13:25 +00:00 · 2017-11-25 14:24:31 +05:30
parent 8ed7f73199
commit dd1b14378b
5 changed files with 43 additions and 0 deletions
--- a/frontend_tests/casper_tests/05-subscriptions.js
+++ b/frontend_tests/casper_tests/05-subscriptions.js
@@ -140,6 +140,16 @@ casper.then(function () {
        casper.click('form#stream_creation_form button.button.white');
        casper.fill('form#add_new_subscription', {stream_name: '  '});
        casper.click('#add_new_subscription .create_stream_button');
+        casper.fill('form#stream_creation_form', {stream_name: 'Waseemio@'});
+        casper.click('form#stream_creation_form button.button.sea-green');
+    });
+});
+casper.then(function () {
+    casper.waitForSelectorText('#stream_name_error', 'Stream names cannot contain #, *, `, or @.', function () {
+        casper.test.assertTextExists('Stream names cannot contain #, *, `, or @.', "Can't create a stream with invalid characters");
+        casper.click('form#stream_creation_form button.button.white');
+        casper.fill('form#add_new_subscription', {stream_name: '  '});
+        casper.click('#add_new_subscription .create_stream_button');
        casper.fill('form#stream_creation_form', {stream_name: 'Waseemio'});
        casper.click('form#stream_creation_form button.button.sea-green');
    });
--- a/static/js/stream_create.js
+++ b/static/js/stream_create.js
@@ -33,6 +33,11 @@ var stream_name_error = (function () {
        $("#stream_name_error").show();
    };

+    self.report_invalid_chars = function () {
+        $("#stream_name_error").text(i18n.t("Stream names cannot contain #, *, `, or @."));
+        $("#stream_name_error").show();
+    };
+
    self.select = function () {
        $("#create_stream_name").focus().select();
    };
@@ -66,6 +71,13 @@ var stream_name_error = (function () {
            return false;
        }

+        // Keep characters in sync with Stream.NAME_INVALID_CHARS
+        if (/[#*`@]/.test(stream_name)) {
+            self.report_invalid_chars();
+            self.select();
+            return false;
+        }
+
        // If we got this far, then we think we have a new unique stream
        // name, so we'll submit to the server.  (It's still plausible,
        // however, that there's some invite-only stream that we don't
--- a/zerver/lib/actions.py
+++ b/zerver/lib/actions.py
@@ -1650,6 +1650,9 @@ def check_stream_name(stream_name: Text) -> None:
        raise JsonableError(_("Invalid stream name '%s'" % (stream_name)))
    if len(stream_name) > Stream.MAX_NAME_LENGTH:
        raise JsonableError(_("Stream name too long (limit: %s characters)" % (Stream.MAX_NAME_LENGTH)))
+    if set(stream_name).intersection(Stream.NAME_INVALID_CHARS):
+        raise JsonableError(_("Invalid characters in stream name (disallowed characters: %s)."
+                            % ((', ').join(Stream.NAME_INVALID_CHARS))))
    for i in stream_name:
        if ord(i) == 0:
            raise JsonableError(_("Stream name '%s' contains NULL (0x00) characters." % (stream_name)))
--- a/zerver/models.py
+++ b/zerver/models.py
@@ -851,6 +851,8 @@ def generate_email_token_for_stream() -> str:

 class Stream(models.Model):
    MAX_NAME_LENGTH = 60
+    # Keep in sync with stream_create.js
+    NAME_INVALID_CHARS = ['*', '@', '`', '#']
    name = models.CharField(max_length=MAX_NAME_LENGTH, db_index=True)  # type: Text
    realm = models.ForeignKey(Realm, db_index=True, on_delete=CASCADE)  # type: Realm
    invite_only = models.NullBooleanField(default=False)  # type: Optional[bool]
--- a/zerver/tests/test_subs.py
+++ b/zerver/tests/test_subs.py
@@ -1409,6 +1409,22 @@ class SubscriptionRestApiTest(ZulipTestCase):
        self.assert_json_error(result,
                               "Stream name too long (limit: 60 characters)")

+    def test_stream_name_has_invalid_characters(self) -> None:
+        email = self.example_email('hamlet')
+        self.login(email)
+
+        stream_name = "a*"
+        request = {
+            'delete': ujson.dumps([stream_name])
+        }
+        result = self.client_patch(
+            "/api/v1/users/me/subscriptions",
+            request,
+            **self.api_auth(email)
+        )
+        self.assert_json_error(result,
+                               "Invalid characters in stream name (disallowed characters: *, @, `, #).")
+
    def test_stream_name_contains_null(self) -> None:
        email = self.example_email('hamlet')
        self.login(email)