From ebe2c8efede7e5707dc2bcea52cd158a7bef252b Mon Sep 17 00:00:00 2001
From: Alex Ling <hkalexling@gmail.com>
Date: Mon, 4 Apr 2022 03:20:52 +0000
Subject: [PATCH] Sanitize parameters on user edit page (fixes #289)

---
 shard.lock          | 4 ++++
 shard.yml           | 2 ++
 src/routes/admin.cr | 8 +++++---
 3 files changed, 11 insertions(+), 3 deletions(-)

diff --git a/shard.lock b/shard.lock
index 292a16f..9d0756e 100644
--- a/shard.lock
+++ b/shard.lock
@@ -68,6 +68,10 @@ shards:
     git: https://github.com/luislavena/radix.git
     version: 0.4.1
 
+  sanitize:
+    git: https://github.com/hkalexling/sanitize.git
+    version: 0.1.0+git.commit.e09520e972d0d9b70b71bb003e6831f7c2c59dce
+
   sqlite3:
     git: https://github.com/crystal-lang/crystal-sqlite3.git
     version: 0.18.0
diff --git a/shard.yml b/shard.yml
index 44a0924..21b7ffb 100644
--- a/shard.yml
+++ b/shard.yml
@@ -42,3 +42,5 @@ dependencies:
     branch: master
   mg:
    github: hkalexling/mg
+  sanitize:
+    github: hkalexling/sanitize
diff --git a/src/routes/admin.cr b/src/routes/admin.cr
index c3692c9..23481f9 100644
--- a/src/routes/admin.cr
+++ b/src/routes/admin.cr
@@ -1,3 +1,5 @@
+require "sanitize"
+
 struct AdminRouter
   def initialize
     get "/admin" do |env|
@@ -14,13 +16,13 @@ struct AdminRouter
     end
 
     get "/admin/user/edit" do |env|
-      username = env.params.query["username"]?
+      sanitizer = Sanitize::Policy::Text.new
+      username = env.params.query["username"]?.try { |s| sanitizer.process s }
       admin = env.params.query["admin"]?
       if admin
         admin = admin == "true"
       end
-      error = env.params.query["error"]?
-      current_user = get_username env
+      error = env.params.query["error"]?.try { |s| sanitizer.process s }
       new_user = username.nil? && admin.nil?
       layout "user-edit"
     end