deadvey/blogger-nodejs
1
1
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

sanitise input (can't believe I just remembered this)

Browse Source
This commit is contained in:
deadvey 2025-07-11 02:11:25 +01:00
parent 68068adfa3
commit b2c649d001
2 changed files with 16 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
app.js
View File

@ -78,6 +78,17 @@ function replace_format_indicators(input_string, post_index=0, tag_name="tag") {
return output_string return output_string
} }
function escape_input(input) {
let output = input
.replaceAll("<", "&lt;")
.replaceAll(">", "&gt;")
.replaceAll("\\", "&#92;")
.replaceAll('"', "&#34;")
.replaceAll("'", "&#39;")
.replaceAll("/", "&#47;")
return output
}
app.get(config.rss_path, (req,res) => { app.get(config.rss_path, (req,res) => {
if (config.rss == false) { if (config.rss == false) {
res.send("Sorry, RSS is disabled!") res.send("Sorry, RSS is disabled!")
@ -227,10 +238,10 @@ app.post("/submit_edit", (req,res) => {
}); });
app.post("/submit_post", (req,res) => { app.post("/submit_post", (req,res) => {
const password = crypto.createHash('sha512').update(req.body.password).digest('hex'); const password = crypto.createHash('sha512').update(req.body.password).digest('hex');
const username = req.body.username const username = escape_input(req.body.username)
const title = req.body.title const title = escape_input(req.body.title)
const content = req.body.content const content = escape_input(req.body.content)
const tags = req.body.tags.split(','); const tags = escape_input(req.body.tags).split(',');
const unix_timestamp = getUnixTime(new Date()) const unix_timestamp = getUnixTime(new Date())
console.log(username, "is submitting a post titled:", title); console.log(username, "is submitting a post titled:", title);

2
hitcount.txt
View File

@ -1 +1 @@
15 45