From dfa77a95dad7e5fa84fe922a98b33ae9d11443db Mon Sep 17 00:00:00 2001
From: Dave Arter <davea@mysociety.org>
Date: Mon, 30 Sep 2024 13:25:03 +0100
Subject: [PATCH] [Surrey] Disallow email addresses in problem title/detail

---
 perllib/FixMyStreet/Cobrand/Surrey.pm          | 18 ++++++++++++++++++
 t/cobrand/surrey.t                             | 14 ++++++++++++++
 templates/web/base/js/translation_strings.html |  1 +
 templates/web/surrey/footer_extra_js.html      |  3 +++
 .../council_validation_rules.js                | 12 +++++++++++-
 web/cobrands/surrey/js.js                      | 10 ++++++++++
 6 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 web/cobrands/surrey/js.js

diff --git a/perllib/FixMyStreet/Cobrand/Surrey.pm b/perllib/FixMyStreet/Cobrand/Surrey.pm
index 08d45ffbc0d..3a4f888fda7 100644
--- a/perllib/FixMyStreet/Cobrand/Surrey.pm
+++ b/perllib/FixMyStreet/Cobrand/Surrey.pm
@@ -86,6 +86,24 @@ sub reopening_disallowed { 1 }
 
 sub allow_anonymous_reports { 'button' }
 
+=item * Do not allow email addresses in title or detail
+
+=back
+
+=cut
+
+sub report_validation {
+    my ($self, $report, $errors) = @_;
+
+    my $regex = Utils::email_regex;
+
+    if ($report->detail =~ /$regex/ || $report->title =~ /$regex/) {
+        $errors->{detail} = 'Please remove any email addresses and other personal information from your report';
+    }
+
+    return $errors;
+}
+
 =item * Anyone with a surreycc.gov.uk email shows up in the admin
 
 =cut
diff --git a/t/cobrand/surrey.t b/t/cobrand/surrey.t
index 8693ea7bbff..86d88926010 100644
--- a/t/cobrand/surrey.t
+++ b/t/cobrand/surrey.t
@@ -92,6 +92,20 @@ FixMyStreet::override_config {
             $json = $mech->get_ok_json('/around?ajax=1&bbox=-0.45869262976076,51.28481314324,-0.42367370886232,51.302390882532');
             is_deeply($json->{pins}, [], 'Borough problem is excluded from Surrey cobrand');
         };
+
+    subtest 'Get error when email included in report' => sub {
+        $mech->get_ok('/report/new?longitude=-0.441269&latitude=51.293415');
+        $mech->submit_form_ok({ with_fields => { category => 'Potholes', title => 'Potholes', detail => 'On main road', name => 'Bob Betts', username_register => 'user@example.org' } });
+        $mech->content_contains('Click the link in our confirmation email to publish your problem', 'Detail field without email proceeds normally');
+        $mech->get_ok('/report/new?longitude=-0.441269&latitude=51.293415');
+        $mech->submit_form_ok({ with_fields => { category => 'Potholes', title => 'Potholes', detail => 'On main road. Contact me at user@example.org', name => 'Bob Betts', username_register => 'user@example.org' } });
+        $mech->content_contains("<p class='form-error'>Please remove any email addresses and other personal information from your report", "Report detail with email gives error");
+        $mech->get_ok('/report/new?longitude=-0.441269&latitude=51.293415');
+        $mech->submit_form_ok({ with_fields => { category => 'Potholes', title => 'Potholes contact me me@me.co.uk', detail => 'On main road', name => 'Bob Betts', username_register => 'user@example.org' } });
+        $mech->content_contains("<p class='form-error'>Please remove any email addresses and other personal information from your report", "Report title with email gives error");
+        $mech->clear_emails_ok;
+    };
+
 };
 
 
diff --git a/templates/web/base/js/translation_strings.html b/templates/web/base/js/translation_strings.html
index 30efe6443e0..c228bbf337e 100644
--- a/templates/web/base/js/translation_strings.html
+++ b/templates/web/base/js/translation_strings.html
@@ -10,6 +10,7 @@
         detail: {
             required: '[% loc('Please enter some details', "JS") %]',
             maxlength: '[% loc('Reports are limited to {0} characters in length. Please shorten your report', "JS") %]',
+            notEmail: '[% loc('Please make sure you are not including an email address', "JS") %]'
         },
         name: {
             required: '[% loc('Please enter your name', "JS") %]',
diff --git a/templates/web/surrey/footer_extra_js.html b/templates/web/surrey/footer_extra_js.html
index 88fc006e768..7c1e695903e 100644
--- a/templates/web/surrey/footer_extra_js.html
+++ b/templates/web/surrey/footer_extra_js.html
@@ -1 +1,4 @@
 [% PROCESS 'footer_extra_js_base.html' highways=1 validation=1 %]
+[% scripts.push(
+    version('/cobrands/surrey/js.js'),
+) %]
diff --git a/web/cobrands/fixmystreet-uk-councils/council_validation_rules.js b/web/cobrands/fixmystreet-uk-councils/council_validation_rules.js
index 713bb5e3154..68ccf710d7a 100644
--- a/web/cobrands/fixmystreet-uk-councils/council_validation_rules.js
+++ b/web/cobrands/fixmystreet-uk-councils/council_validation_rules.js
@@ -106,5 +106,15 @@ body_validation_rules = {
             maxlength: 20
         }
     },
-    'Southwark Council': confirm_validation_rules
+    'Southwark Council': confirm_validation_rules,
+    'Surrey County Council': {
+      title: {
+          required: true,
+          notEmail: true
+      },
+      detail: {
+          required: true,
+          notEmail: true
+      }
+  }
 };
diff --git a/web/cobrands/surrey/js.js b/web/cobrands/surrey/js.js
new file mode 100644
index 00000000000..d60ea784c1f
--- /dev/null
+++ b/web/cobrands/surrey/js.js
@@ -0,0 +1,10 @@
+(function(){
+    if (!window.translation_strings) {
+        return;
+    }
+
+    // Surrey want custom error messages when an email address is present
+    translation_strings.detail.notEmail = 'Report cannot contain an email address or personal information';
+    translation_strings.title.notEmail = 'Report cannot contain an email address or personal information';
+
+})();