Open
Description
On the latest version 2.0.2 I get this thanks to some hackers:
File "/usr/local/lib/python2.7/dist-packages/django_comments/views/comments.py" in post_comment
130. request=request
File "/usr/local/lib/python2.7/dist-packages/django/dispatch/dispatcher.py" in send
191. response = receiver(signal=self, sender=sender, **named)
File "/usr/local/lib/python2.7/dist-packages/fluent_comments/models.py" in on_comment_posted
82. send_mail(subject, message, settings.DEFAULT_FROM_EMAIL, recipient_list, fail_silently=True)
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/__init__.py" in send_mail
62. return mail.send()
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in send
342. return self.get_connection(fail_silently).send_messages([self])
File "/usr/local/lib/python2.7/dist-packages/django_yubin/smtp_queue.py" in send_messages
36. queue_email_message(email_message)
File "/usr/local/lib/python2.7/dist-packages/django_yubin/__init__.py" in queue_email_message
123. encoded_message=email_message.message().as_string())
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in message
307. msg['Subject'] = self.subject
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in __setitem__
232. name, val = forbid_multi_line_headers(name, val, self.encoding)
File "/usr/local/lib/python2.7/dist-packages/django/core/mail/message.py" in forbid_multi_line_headers
92. raise BadHeaderError("Header values can't contain newlines (got %r for header %r)" % (val, name))
Exception Type: BadHeaderError at /comments/post/
Exception Value: Header values can't contain newlines (got u'[SITE] New comment posted on "<script>alert(1)</script> <script>alert(1)</script>: <img src=x onerror=alert(1)>\r\n\r\ntest..."' for header u'Subject')
Request information:
Other than disabling the emails I don't see any way to block the bad content. I don't actually need to see the actual comment, just knowing there's one there is good enough.