A POST endpoint

  1. POST endpoint for creating forms

    You will be building an application to accept POST data from any website, insert the escaped POST data into an email and email a single email address.

    The application will then redirect the user to a 'success' url.

  2. This is new software

    You are not editing an existing system, and you are not installing this system. We will install it.

  3. High level requirements

    The application must:
    - Accept POST data from a configurable list of white-listed domain names
    - Reject POST data from non-white listed domain names
    - Return 404 error for GET requests
    - Accept forms with any type and number of fields (except FILE fields)
    - Insert the field names and values into an email.
    - Escape the field names and values in the email (so malicious HTML code cannot be inserted)
    - Email the escaped field names and values to a configurable email address
    - Redirect the user (302) to a success page.

  4. Configuration

    We must be able to configure the following from a settings file:

    - White list of domains
    - the To email address and subject
    - the default redirect URL

  5. Inserting into email

    The contents of the form must be written in text JSON format into the email. There is no need to indent or pretty print the JSON.

    Example:

    {'name': 'Jim Jones', 'email': 'jim@example.com'}

    For an example form with two fields:
    - name; and
    - email

    Remember this system should be able to handle any number of fields with any names - not just 'name' or 'email'!

  6. Any number of fields

    You won't know the names of the fields in advance, they will always be changing. So the application must handle any names for fields.

  7. Escape the fields

    Make sure that both the field name and field value are escaped before inserting into the email to prevent malicious code. This is important and we will check this carefully.

    Escape the field name and value using a django-like HTML escape function. https://docs.djangoproject.com/en/dev/ref/templates/builtins/?from=olddocs#escape

  8. The redirect page

    The redirect page can be set by the form using the known field name:

    'next' and its value should be a url.

    You must check for a valid url against the domains in the whitelist before redirecting.

    If the url is invalid, 'next' is missing or incorrect then redirect to the default URL given in the configuration file.

  9. Contact us now

    Did you read this procedure? Are you interested in doing the work? Contact us and say that you have read and understood it.

    Also give us *one* example of how someone could hack this application; or
    *one* suggestion for improving the procedure.

    We will not respond unless you give *one* answer in your response