Merge pull request #292 from hkalexling/fix/sanitize-html

Sanitize parameters on user edit page (fixes #289)
2022-04-04 21:16:44 +08:00 · 2022-04-04 21:16:44 +08:00 · 75e26d8624
parent d1de8b7a4e ebe2c8efed
commit 75e26d8624
3 changed files with 11 additions and 3 deletions
--- a/shard.lock
+++ b/shard.lock
@ -68,6 +68,10 @@ shards:
    git: https://github.com/luislavena/radix.git
    version: 0.4.1
  sanitize:
    git: https://github.com/hkalexling/sanitize.git
    version: 0.1.0+git.commit.e09520e972d0d9b70b71bb003e6831f7c2c59dce
  sqlite3:
    git: https://github.com/crystal-lang/crystal-sqlite3.git
    version: 0.18.0
--- a/shard.yml
+++ b/shard.yml
@ -42,3 +42,5 @@ dependencies:
    branch: master
  mg:
   github: hkalexling/mg
  sanitize:
    github: hkalexling/sanitize
--- a/src/routes/admin.cr
+++ b/src/routes/admin.cr
@ -1,3 +1,5 @@
 require "sanitize"
 struct AdminRouter
  def initialize
    get "/admin" do |env|
@ -14,13 +16,13 @@ struct AdminRouter
    end
    get "/admin/user/edit" do |env|
-      username = env.params.query["username"]?
+      sanitizer = Sanitize::Policy::Text.new
      username = env.params.query["username"]?.try { |s| sanitizer.process s }
      admin = env.params.query["admin"]?
      if admin
        admin = admin == "true"
      end
-      error = env.params.query["error"]?
+      error = env.params.query["error"]?.try { |s| sanitizer.process s }
      current_user = get_username env
      new_user = username.nil? && admin.nil?
      layout "user-edit"
    end