fix: usernames should encode all characters in emails

parse-community · Jan 14, 2025 · 1f68ff7 · 1f68ff7
1 parent 28b3ede
commit 1f68ff7
Show file tree

Hide file tree

Showing 3 changed files with 47 additions and 2 deletions.
diff --git a/spec/EmailVerificationToken.spec.js b/spec/EmailVerificationToken.spec.js
@@ -52,6 +52,39 @@ describe('Email Verification Token Expiration: ', () => {
       });
   });
 
+  it('should send an HTML or properly escaped plain text password reset email', async () => {
+    const user = new Parse.User();
+    let sendEmailOptions;
+    const emailAdapter = {
+      sendPasswordResetEmail: (options) => {
+        sendEmailOptions = options;
+      },
+      sendVerificationEmail: async () => {},
+      sendMail: async () => {},
+    };
+
+    await reconfigureServer({
+      appName: 'specialCharacterUsernameTest',
+      publicServerURL: 'http://localhost:8378/1',
+      emailAdapter: emailAdapter,
+    });
+
+    user.setUsername('hello :)');
+    user.setPassword('password123');
+    user.set('email', '[email protected]');
+    await user.signUp();
+
+    await Parse.User.requestPasswordReset('[email protected]');
+
+    expect(sendEmailOptions).not.toBeUndefined();
+
+    const { link, html, text } = sendEmailOptions;
+
+    const username = link.split('username=')[1];
+    expect(username).toBe('%68%65%6C%6C%6F%20%3A%29');
+  });
+
+
   it('emailVerified should set to false, if the user does not verify their email before the email verify token expires', done => {
     const user = new Parse.User();
     let sendEmailOptions;

diff --git a/src/Controllers/UserController.js b/src/Controllers/UserController.js
@@ -6,6 +6,7 @@ import rest from '../rest';
 import Parse from 'parse/node';
 import AccountLockout from '../AccountLockout';
 import Config from '../Config';
+import Utils from '../Utils';
 
 var RestQuery = require('../RestQuery');
 var Auth = require('../Auth');
@@ -173,7 +174,7 @@ export class UserController extends AdaptableController {
     if (!shouldSendEmail) {
       return;
     }
-    const username = encodeURIComponent(fetchedUser.username);
+    const username = Utils.encode(fetchedUser.username);
 
     const link = buildEmailLink(this.config.verifyEmailURL, username, token, this.config);
     const options = {
@@ -286,7 +287,7 @@ export class UserController extends AdaptableController {
       user = await this.setPasswordResetToken(email);
     }
     const token = encodeURIComponent(user._perishable_token);
-    const username = encodeURIComponent(user.username);
+    const username = Utils.encode(user.username);
 
     const link = buildEmailLink(this.config.requestResetPasswordURL, username, token, this.config);
     const options = {

diff --git a/src/Utils.js b/src/Utils.js
@@ -399,6 +399,17 @@ class Utils {
     }
     return obj;
   }
+
+  /**
+   * Encodes a string to be used in a URL.
+   * @param {String} input The string to encode.
+   * @returns {String} The encoded string.
+   */
+  static encode(input) {
+    return Array.from(input)
+        .map(char => `%${char.charCodeAt(0).toString(16).padStart(2, '0').toUpperCase()}`)
+        .join('');
+  }
 }
 
 module.exports = Utils;