ukhsa-collaboration
diff --git a/‎ntbs-integration-tests/ContactDetailsPages/ContactDetailsPageTests.cs
Lines changed: 27 additions & 0 deletions b/‎ntbs-integration-tests/ContactDetailsPages/ContactDetailsPageTests.cs
Lines changed: 27 additions & 0 deletions
diff --git a/‎ntbs-integration-tests/ContactDetailsPages/EditContactDetailsTests.cs
Lines changed: 94 additions & 0 deletions b/‎ntbs-integration-tests/ContactDetailsPages/EditContactDetailsTests.cs
Lines changed: 94 additions & 0 deletions
diff --git a/‎ntbs-integration-tests/Helpers/TestUser.cs
Lines changed: 36 additions & 2 deletions b/‎ntbs-integration-tests/Helpers/TestUser.cs
Lines changed: 36 additions & 2 deletions
diff --git a/‎ntbs-integration-tests/Helpers/Utilities.cs
Lines changed: 26 additions & 7 deletions b/‎ntbs-integration-tests/Helpers/Utilities.cs
Lines changed: 26 additions & 7 deletions
diff --git a/‎ntbs-integration-tests/NotificationPages/OverviewPageTests.cs
Lines changed: 39 additions & 0 deletions b/‎ntbs-integration-tests/NotificationPages/OverviewPageTests.cs
Lines changed: 39 additions & 0 deletions
@@ -55,6 +55,33 @@ public async Task BreadcrumbForRegionPresentForRegionalUser()
                 Assert.Contains("Permitted Phec", breadcrumbs);
             }
         }
+
+        [Fact]
+        public async Task CurlyBracketsRemovedForUntrustedContent()
+        {
+            TestUser user = TestUser.UntrustedContentUser;
+            var pageRoute = (RouteHelper.GetContactDetailsSubPath(user.Id, null));
+            using (var client = Factory.WithUserAuth(user).CreateClientWithoutRedirects())
+            {
+                client.DefaultRequestHeaders.Authorization =
+                    new AuthenticationHeaderValue(UserAuthentication.SchemeName);
+                // Arrange
+
+                var initialPage = await client.GetAsync(pageRoute);
+                var pageContent = await GetDocumentAsync(initialPage);
+
+                // Assert
+                var detailsContainer = pageContent.GetElementsByClassName("case-manager-details-container").Single().TextContent;
+
+                Assert.DoesNotContain("{", detailsContainer);
+                Assert.DoesNotContain("}", detailsContainer);
+                Assert.Contains("abc", detailsContainer);
+                Assert.Contains("def", detailsContainer);
+                Assert.Contains("ghi", detailsContainer);
+                Assert.Contains("jkl", detailsContainer);
+                Assert.Contains("mno", detailsContainer);
+            }
+        }
     }
 }
 
@@ -8,6 +8,9 @@
 using ntbs_service.Helpers;
 using ntbs_service.Models.Validations;
 using Xunit;
+using System.Linq;
+using AngleSharp.Dom;
+using AngleSharp.Html.Dom;
 
 namespace ntbs_integration_tests.ContactDetailsPages
 {
@@ -92,6 +95,50 @@ public async Task EditDetails_InvalidFields_DisplayErrors()
             }
         }
 
+        [Fact]
+        public async Task EditDetails_InvalidFields_Curly_Brackets_DisplayErrors()
+        {
+            var user = TestUser.NationalTeamUser;
+            var pageRoute = (RouteHelper.GetContactDetailsSubPath(user.Id, ContactDetailsSubPaths.Edit));
+            using (var client = Factory.WithUserAuth(user).CreateClientWithoutRedirects())
+            {
+                // Arrange
+                var initialPage = await client.GetAsync(pageRoute);
+                var initialDocument = await GetDocumentAsync(initialPage);
+
+                var formData = new Dictionary<string, string>
+                {
+                    ["ContactDetails.Username"] = user.Username,
+                    ["ContactDetails.JobTitle"] = "{Teacher}",
+                    ["ContactDetails.PhoneNumberPrimary"] = "{0888192311}",
+                    ["ContactDetails.PhoneNumberSecondary"] = "{0123871623}",
+                    ["ContactDetails.EmailPrimary"] = "{primary@email}",
+                    ["ContactDetails.EmailSecondary"] = "{secondary@email}",
+                    ["ContactDetails.Notes"] = "{Notes}"
+                };
+
+                // Act
+                var result = await client.SendPostFormWithData(initialDocument, formData, pageRoute);
+
+                // Assert
+                var resultDocument = await GetDocumentAsync(result);
+                result.EnsureSuccessStatusCode();
+
+                resultDocument.AssertErrorMessage("job-title",
+                    string.Format(ValidationMessages.InvalidCharacter, "Job title"));
+                resultDocument.AssertErrorMessage("phone-primary",
+                    string.Format(ValidationMessages.InvalidCharacter, "Phone number #1"));
+                resultDocument.AssertErrorMessage("phone-secondary",
+                    string.Format(ValidationMessages.InvalidCharacter, "Phone number #2"));
+                resultDocument.AssertErrorMessage("email-primary",
+                    string.Format(ValidationMessages.InvalidCharacter, "Email #1"));
+                resultDocument.AssertErrorMessage("email-secondary",
+                    string.Format(ValidationMessages.InvalidCharacter, "Email #2"));
+                resultDocument.AssertErrorMessage("notes",
+                    string.Format(ValidationMessages.InvalidCharacter, "Notes"));
+            }
+        }
+
         [Fact]
         public async Task EditDetails_TabInNotes_DisplayErrors()
         {
@@ -185,5 +232,52 @@ public async Task EditDetails_EditingOtherUser_IsForbiddenForNonAdmin()
                 Assert.Equal(HttpStatusCode.Forbidden, result.StatusCode);
             }
         }
+
+        [Fact]
+        public async Task EditDetails_RemovesCurlyBracketsOnGet()
+        {
+            var user = TestUser.UntrustedContentUser;
+            var pageRoute = (RouteHelper.GetContactDetailsSubPath(user.Id, ContactDetailsSubPaths.Edit));
+            using (var client = Factory.WithUserAuth(user).CreateClientWithoutRedirects())
+            {
+                // Arrange
+                var initialPage = await client.GetAsync(pageRoute);
+                var pageContent = await GetDocumentAsync(initialPage);
+
+                // Act
+                var jobTitle = pageContent.QuerySelector<IHtmlInputElement>("#ContactDetails_JobTitle").Value;
+                var emailPrimary = pageContent.QuerySelector<IHtmlInputElement>("#ContactDetails_EmailPrimary").Value;
+                var emailSecondary = pageContent.QuerySelector<IHtmlInputElement>("#ContactDetails_EmailSecondary").Value;
+                var phoneNumberPrimary = pageContent.QuerySelector<IHtmlInputElement>("#ContactDetails_PhoneNumberPrimary").Value;
+                var phoneNumberSecondary = pageContent.QuerySelector<IHtmlInputElement>("#ContactDetails_PhoneNumberSecondary").Value;
+                var notes = pageContent.QuerySelector<IHtmlTextAreaElement>("#ContactDetails_Notes").Value;
+
+                // Assert
+                Assert.DoesNotContain("{", jobTitle);
+                Assert.DoesNotContain("}", jobTitle);
+                Assert.Equal("abc", jobTitle);
+                
+                Assert.DoesNotContain("{", emailPrimary);
+                Assert.DoesNotContain("}", emailPrimary);
+                Assert.Equal("def", emailPrimary);
+                
+                Assert.DoesNotContain("{", emailSecondary);
+                Assert.DoesNotContain("}", emailSecondary);
+                Assert.Equal("ghi", emailSecondary);
+                
+                Assert.DoesNotContain("{", phoneNumberPrimary);
+                Assert.DoesNotContain("}", phoneNumberPrimary);
+                Assert.Equal("jkl", phoneNumberPrimary);
+                
+                Assert.DoesNotContain("{", phoneNumberSecondary);
+                Assert.DoesNotContain("}", phoneNumberSecondary);
+                Assert.Equal("", phoneNumberSecondary);
+                
+                Assert.DoesNotContain("{", notes);
+                Assert.DoesNotContain("}", notes);
+                Assert.Equal("mno", notes);
+
+            }
+        }
     }
 }
@@ -27,6 +27,12 @@ public class TestUser : ITestUser
         public IEnumerable<string> TbServiceCodes { get; }
         public bool IsReadOnly { get; }
         public bool IsActive { get; }
+        public string JobTitle { get; set; }
+        public string EmailPrimary { get; set; }
+        public string EmailSecondary { get; set; }
+        public string PhoneNumberPrimary { get; set; }
+        public string PhoneNumberSecondary { get; set; }
+        public string Notes { get; set; }
 
         private TestUser(
             int id,
@@ -36,7 +42,13 @@ private TestUser(
             IEnumerable<string> adGroups,
             IEnumerable<string> tbServiceCodes = null,
             bool isReadOnly = false,
-            bool isActive = true)
+            bool isActive = true,
+            string jobTitle = null,
+            string emailPrimary = null,
+            string emailSecondary = null,
+            string phoneNumberPrimary = null,
+            string phoneNumberSecondary = null,
+            string notes = null)
         {
             Id = id;
             Username = username;
@@ -46,6 +58,12 @@ private TestUser(
             TbServiceCodes = tbServiceCodes ?? new List<string>();
             IsReadOnly = isReadOnly;
             IsActive = isActive;
+            JobTitle = jobTitle;
+            EmailPrimary = emailPrimary;
+            EmailSecondary = emailSecondary;
+            PhoneNumberPrimary = phoneNumberPrimary;
+            PhoneNumberSecondary = phoneNumberSecondary;
+            Notes = notes;
         }
 
         public static IEnumerable<TestUser> GetAll() => new[]
@@ -61,7 +79,8 @@ public static IEnumerable<TestUser> GetAll() => new[]
             GatesheadCaseManager2,
             InactiveGatesheadCaseManager,
             Developer,
-            ReadOnlyUser
+            ReadOnlyUser,
+            UntrustedContentUser
         };
 
         public static TestUser ServiceUserForAbingdonAndPermitted = new TestUser(
@@ -159,5 +178,20 @@ public static IEnumerable<TestUser> GetAll() => new[]
             UserType.ServiceOrRegionalUser,
             new[] { Utilities.READ_ONLY_AD_GROUP },
             isReadOnly: true);
+
+        public static TestUser UntrustedContentUser = new TestUser
+        (
+            7893,
+            "someone@ntbs.phe.com",
+            "Someone",
+            UserType.NationalTeam,
+            new[] { Utilities.NATIONAL_AD_GROUP },
+            jobTitle: "{abc}",
+            emailPrimary: "{{def}}",
+            emailSecondary: "g{{hi}}",
+            phoneNumberPrimary: "j}{kl}",
+            phoneNumberSecondary: "{{}}",
+            notes: "}}mno"
+        );
     }
 }
@@ -60,16 +60,23 @@ public static class Utilities
         public const int DRAFT_WITH_NO_START_DATES = 10075;
 
         public const int CLINICAL_NOTIFICATION_EXTRA_PULMONARY_ID = 10080;
-
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_ALERT = 10083;
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_TREATMENTEVENT = 10084;
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_TREATMENTEVENTS = 10085;
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_SOCIALCONTEXTVENUES = 10086;
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_SOCIALCONTEXTADDRESSES = 10087;
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_OVERVIEW = 10088;
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_SOCIALCONTEXTVENUE = 10089;
         public const int LATE_DOB_ID = 10090;
+        public const int NOTIFIED_ID_WITH_TRANSFER_REQUEST_TO_REJECT = 10091;
+        public const int NOTIFICATION_WITH_TRANSFER_REQUEST_TO_ACCEPT = 10092;
+        public const int NOTIFICATION_WITH_TRANSFER = 10093;
+        public const int NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_SOCIALCONTEXTADDRESS = 10094;
         public const int NOTIFICATION_DATE_TODAY = 10095;
         public const int NOTIFICATION_DATE_OVER_YEAR_AGO = 10096;
         public const int LINKED_NOTIFICATION_ABINGDON_TB_SERVICE = 10097;
         public const int LINK_NOTIFICATION_ROYAL_FREE_LONDON_TB_SERVICE = 10098;
 
-        public const int NOTIFIED_ID_WITH_TRANSFER_REQUEST_TO_REJECT = 10091;
-        public const int NOTIFICATION_WITH_TRANSFER_REQUEST_TO_ACCEPT = 10092;
-        public const int NOTIFICATION_WITH_TRANSFER = 10093;
 
         public static int SPECIMEN_MATCHING_NOTIFICATION_ID1 = MockSpecimenService.MockSpecimenNotificationId1; // 10100
         public static int SPECIMEN_MATCHING_NOTIFICATION_ID2 = MockSpecimenService.MockSpecimenNotificationId2; // 10101
@@ -118,6 +125,8 @@ public static class Utilities
         public const int TRANSFER_REJECTED_ID = 20005;
         public const int TRANSFER_ALERT_ID_TO_ACCEPT_2 = 20006;
         public const int TRANSFER_ALERT_WITH_DATE = 20010;
+        public const int TRANSFER_ALERT_DECLINED = 20011;
+
 
         public const int DRAFT_DATA_QUALITY_ALERT = 20007;
         public const int ALERT_TO_DISMISS_ID = 20008;
@@ -231,7 +240,10 @@ public static void SeedDatabase(NtbsContext context)
             context.Notification.AddRange(StopShareWithServicePageTests.GetSeedingNotifications());
             context.Notification.AddRange(ManualTestResultEditPagesTests.GetSeedingNotifications());
             context.Notification.AddRange(SocialContextVenueEditPageTests.GetSeedingNotifications());
+            context.Notification.AddRange(SocialContextVenuesEditPageTests.GetSeedingNotifications());
             context.Notification.AddRange(SocialContextAddressEditPageTests.GetSeedingNotifications());
+            context.Notification.AddRange(SocialContextAddressesEditPageTests.GetSeedingNotifications());
+            context.Notification.AddRange(TreatmentEventsEditPageTests.GetSeedingNotifications());
             context.Notification.AddRange(TreatmentEventEditPageTests.GetSeedingNotifications());
             context.Notification.AddRange(ClinicalDetailsPageTests.GetSeedingNotifications());
             context.Notification.AddRange(ActionTransferPageTests.GetSeedingNotifications());
@@ -241,11 +253,12 @@ public static void SeedDatabase(NtbsContext context)
             context.Notification.AddRange(MBovisOccupationExposurePageTests.GetSeedingNotifications());
             context.Notification.AddRange(MBovisAnimalExposurePageTests.GetSeedingNotifications());
             context.Notification.AddRange(DraftEditPageTests.GetSeedingNotifications());
+            context.Notification.AddRange(RejectTransferPageTests.GetSeedingNotifications());
 
-            context.TreatmentOutcome.AddRange(TreatmentEventEditPageTests.GetSeedingOutcomes());
+            context.TreatmentOutcome.AddRange(TreatmentEventsEditPageTests.GetSeedingOutcomes());
 
             context.Alert.AddRange(DraftEditPageTests.GetSeedingAlerts());
-
+            context.Alert.AddRange(RejectTransferPageTests.GetSeedingAlerts());
             context.SaveChanges();
         }
 
@@ -268,7 +281,13 @@ private static IEnumerable<User> GetCaseManagers()
                 AdGroups = string.Join(',', user.AdGroups),
                 IsCaseManager = true,
                 IsReadOnly = user.IsReadOnly,
-                IsActive = user.IsActive
+                IsActive = user.IsActive,
+                JobTitle = user.JobTitle,
+                PhoneNumberPrimary = user.PhoneNumberPrimary,
+                PhoneNumberSecondary = user.PhoneNumberSecondary,
+                EmailPrimary = user.EmailPrimary,
+                EmailSecondary = user.EmailSecondary,
+                Notes = user.Notes
             });
         }
 
 
@@ -93,6 +93,26 @@ public static IList<Notification> GetSeedingNotifications()
                             TbServiceCode = Utilities.TBSERVICE_ABINGDON_COMMUNITY_HOSPITAL_ID
                         }
                     }
+                },
+                new Notification
+                {
+                    NotificationId = Utilities.NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_OVERVIEW,
+                    NotificationStatus = NotificationStatus.Notified,
+                    SocialContextAddresses = new List<SocialContextAddress>
+                    {
+                        new SocialContextAddress
+                        {
+                            Details = "{{abc}}"
+                        },
+                    },
+                    SocialContextVenues = new List<SocialContextVenue>
+                    {
+                        new SocialContextVenue
+                        {
+                            Details = "{{def}}",
+                            Name = "{{ghi}}"
+                        }
+                    }
                 }
             };
         }
@@ -458,6 +478,25 @@ public async Task OverviewPageContainsAnchorId_ForNotificationSubPath()
             });
         }
 
+        [Fact]
+        public async Task OverviewPageRemovesCurlyBracketsFromComment()
+        {
+            // Arrange
+            var url = GetCurrentPathForId(Utilities.NOTIFICATION_ID_WITH_CURLY_BRACKETS_IN_OVERVIEW);
+
+            // Act
+            var document = await GetDocumentForUrlAsync(url);
+
+            // Asset
+            var detailsContainer = document.GetElementById("maincontent").TextContent;
+
+            Assert.DoesNotContain("{", detailsContainer);
+            Assert.DoesNotContain("}", detailsContainer);
+            Assert.Contains("abc", detailsContainer);
+            Assert.Contains("def", detailsContainer);
+            Assert.Contains("ghi", detailsContainer);
+        }
+
         private void AssertEditOverview(IHtmlDocument document)
         {
             AssertSectionTitlesInDocument(document);