Page MenuHomePhabricator
Create Task
Maniphest T231813

Handling of invalid banner data on Laika skin
Open, Needs TriagePublic
Actions

Description

Unlike the older skins, the Laika skin accepts any interval and amount value provided by a banner and places users on the address page. This makes it open for abuse and more prone to users being affected by issues in banners Currently, URLs like the following examples are possible and will place you on the second page of the donation form (which should only be possible with valid data):

&zahlweise=BEZ&amountGiven=1&periode=24
&zahlweise=BEZ&amountGiven=0.01&periode=6
&zahlweise=BEZ&amountGiven=0.01&periode=8

Since there is no server-side validation for the intervals, it's possible to make a donation with random intervals. This issue, however, has already been documented as part of T222636 and should be fixed separately.

The acceptance criteria for this ticket is that if an invalid amount of interval is entered, users are not placed on the second donation page but are rather shown an error on the first donation page.

Related Objects

Event Timeline

Tim_WMDE created this task.Sep 2 2019, 12:21 PM
Restricted Application added a subscriber: Aklapper. · View Herald TranscriptSep 2 2019, 12:21 PM
gabriel-wmde subscribed.Sep 3 2019, 4:55 PM

For the amount, you should add validationResult to DonationAmountModel and check if validationResult.paymentData is true before dispatching initializePayment. See also DonationFormPresenter.php. T222636 should also tap into that validation, so the client-side code will the automatically check the interval too.

Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL