Skip to content

Commit

Permalink
Sanitize parameters on user edit page (fixes #289)
Browse files Browse the repository at this point in the history
  • Loading branch information
@hkalexling
hkalexling committed Apr 4, 2022
1 parent d1de8b7 commit ebe2c8e
Show file tree
Hide file tree
Showing 3 changed files with 11 additions and 3 deletions.
4 changes: 4 additions & 0 deletions shard.lock
View file
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,10 @@ shards:
git: https://github.com/luislavena/radix.git
version: 0.4.1

sanitize:
git: https://github.com/hkalexling/sanitize.git
version: 0.1.0+git.commit.e09520e972d0d9b70b71bb003e6831f7c2c59dce

sqlite3:
git: https://github.com/crystal-lang/crystal-sqlite3.git
version: 0.18.0
Expand Down
2 changes: 2 additions & 0 deletions shard.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -42,3 +42,5 @@ dependencies:
branch: master
mg:
github: hkalexling/mg
sanitize:
github: hkalexling/sanitize
8 changes: 5 additions & 3 deletions src/routes/admin.cr
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
require "sanitize"

struct AdminRouter
def initialize
get "/admin" do |env|
Expand All @@ -14,13 +16,13 @@ struct AdminRouter
end

get "/admin/user/edit" do |env|
username = env.params.query["username"]?
sanitizer = Sanitize::Policy::Text.new
username = env.params.query["username"]?.try { |s| sanitizer.process s }
admin = env.params.query["admin"]?
if admin
admin = admin == "true"
end
error = env.params.query["error"]?
current_user = get_username env
error = env.params.query["error"]?.try { |s| sanitizer.process s }
new_user = username.nil? && admin.nil?
layout "user-edit"
end
Expand Down

0 comments on commit ebe2c8e

Please sign in to comment.