emmeline.girlkisser.top
+11
-11
src/api.v
+11
-11
src/api.v
···
154
154
return ctx.redirect('/login')
155
155
}
156
156
157
-
mut sanatized_nickname := ?string(sanatize(nickname).trim_space())
158
-
if sanatized_nickname or { '' } == '' {
159
-
sanatized_nickname = none
157
+
mut clean_nickname := ?string(nickname.trim_space())
158
+
if clean_nickname or { '' } == '' {
159
+
clean_nickname = none
160
160
}
161
161
162
162
// validate
163
-
if sanatized_nickname != none && !app.validators.nickname.validate(sanatized_nickname or { '' }) {
163
+
if clean_nickname != none && !app.validators.nickname.validate(clean_nickname or { '' }) {
164
164
ctx.error('invalid nickname')
165
165
return ctx.redirect('/me')
166
166
}
167
167
168
168
sql app.db {
169
-
update User set nickname = sanatized_nickname where id == user.id
169
+
update User set nickname = clean_nickname where id == user.id
170
170
} or {
171
171
ctx.error('failed to change nickname')
172
-
eprintln('failed to update nickname for ${user} (${user.nickname} -> ${sanatized_nickname})')
172
+
eprintln('failed to update nickname for ${user} (${user.nickname} -> ${clean_nickname})')
173
173
return ctx.redirect('/me')
174
174
}
175
175
···
213
213
214
214
mut theme := ?string(none)
215
215
if url.trim_space() != '' {
216
-
theme = sanatize(url).trim_space()
216
+
theme = url.trim_space()
217
217
}
218
218
219
219
sql app.db {
···
234
234
return ctx.redirect('/login')
235
235
}
236
236
237
-
clean_pronouns := sanatize(pronouns).trim_space()
237
+
clean_pronouns := pronouns.trim_space()
238
238
if !app.validators.pronouns.validate(clean_pronouns) {
239
239
ctx.error('invalid pronouns')
240
240
return ctx.redirect('/me')
···
258
258
return ctx.redirect('/login')
259
259
}
260
260
261
-
clean_bio := sanatize(bio).trim_space()
261
+
clean_bio := bio.trim_space()
262
262
if !app.validators.user_bio.validate(clean_bio) {
263
263
ctx.error('invalid bio')
264
264
return ctx.redirect('/me')
···
311
311
312
312
post := Post{
313
313
author_id: user.id
314
-
title: sanatize(title)
315
-
body: sanatize(body)
314
+
title: title
315
+
body: body
316
316
}
317
317
318
318
sql app.db {
+2
-4
src/config.v
+2
-4
src/config.v
···
62
62
config.static_path = loaded.get('static_path').to_str()
63
63
64
64
loaded_instance := loaded.get('instance')
65
-
// yes i am still sanatizing these despite being configured exclusively
66
-
// by the instance owner. redundant? maybe.
67
-
config.instance.name = sanatize(loaded_instance.get('name').to_str())
68
-
config.instance.welcome = sanatize(loaded_instance.get('welcome').to_str())
65
+
config.instance.name = loaded_instance.get('name').to_str()
66
+
config.instance.welcome = loaded_instance.get('welcome').to_str()
69
67
70
68
loaded_http := loaded.get('http')
71
69
config.http.port = loaded_http.get('port').to_int()
-15
src/main.v
-15
src/main.v
···
58
58
59
59
veb.run[App, Context](mut app, app.config.http.port)
60
60
}
61
-
62
-
// bad users, no RCE!
63
-
fn sanatize(text string) string {
64
-
return text
65
-
.replace('&', '&')
66
-
.replace('<', '<')
67
-
.replace('>', '>')
68
-
.replace('"', '"') // where did the `e` go??
69
-
.replace('\'', ''') // and what is this?!?!?
70
-
// in the above two comments, you can see me (emma) having spontaneous
71
-
// anger at old spec design, where "quote" becomes "quot" and a single
72
-
// quote is an incomprehensible string of numbers.
73
-
// my proposition: `dquote` and `squote`.
74
-
// (end rant)
75
-
}