sanitise input (can't believe I just remembered this)

2025-07-11 02:11:25 +01:00 · 2025-07-11 02:11:25 +01:00 · b2c649d001
commit b2c649d001
parent 68068adfa3
2 changed files with 16 additions and 5 deletions
--- a/app.js
+++ b/app.js
@ -78,6 +78,17 @@ function replace_format_indicators(input_string, post_index=0, tag_name="tag") {
 	return output_string
 }

+function escape_input(input) {
+    let output = input
+        .replaceAll("<", "&lt;")
+        .replaceAll(">", "&gt;")
+        .replaceAll("\\", "&#92;")
+        .replaceAll('"', "&#34;")
+        .replaceAll("'", "&#39;")
+        .replaceAll("/", "&#47;")
+    return output
+}
+
 app.get(config.rss_path, (req,res) => {
 	if (config.rss == false) {
 		res.send("Sorry, RSS is disabled!")
@ -227,10 +238,10 @@ app.post("/submit_edit", (req,res) => {
 });
 app.post("/submit_post", (req,res) => {
 	const password = crypto.createHash('sha512').update(req.body.password).digest('hex');
-	const username = req.body.username
-	const title = req.body.title
-	const content = req.body.content
-	const tags = req.body.tags.split(',');
+	const username = escape_input(req.body.username)
+	const title = escape_input(req.body.title)
+	const content = escape_input(req.body.content)
+	const tags = escape_input(req.body.tags).split(',');
 	const unix_timestamp = getUnixTime(new Date())
 	console.log(username, "is submitting a post titled:", title);	

--- a/hitcount.txt
+++ b/hitcount.txt
@ -1 +1 @@
-15
+45