diff options
| author | unwox <me@unwox.com> | 2024-11-06 23:47:35 +0600 |
|---|---|---|
| committer | unwox <me@unwox.com> | 2024-11-06 23:47:35 +0600 |
| commit | 23466bca222f60ca13038d36b4160bf212682e31 (patch) | |
| tree | 6dfd75a5957905e9a3b05aed862fd0cd58f239ac /bin | |
| parent | c69f561ccde0ad85bfec3321e3cac4a31aabc0af (diff) | |
sanitize user input
Diffstat (limited to 'bin')
| -rw-r--r-- | bin/serve.fnl | 24 |
1 files changed, 15 insertions, 9 deletions
diff --git a/bin/serve.fnl b/bin/serve.fnl index dde1138..8855120 100644 --- a/bin/serve.fnl +++ b/bin/serve.fnl @@ -47,6 +47,11 @@ (string.gsub """ "\"") (string.gsub "&" "&")))) +(fn sanitize-input [input] + (if input + (str.trim (input:gsub "[=()<>']" "")) + nil)) + (fn category-menu-path [category] (. {"Красный чай" "red-tea" "Шен пуэр" "sheng-puer" @@ -62,15 +67,15 @@ (. query key) (. query key 1) (< 0 (# (. query key 1)))) - (. query key 1) + (sanitize-input (. query key 1)) nil)) (fn get-query-number [query key] (if (and query - (. query key) - (. query key 1) - (< 0 (# (. query key 1)))) - (tonumber (. query key 1)) + (. query key) + (. query key 1) + (< 0 (# (. query key 1)))) + (tonumber (sanitize-input (. query key 1))) nil)) (fn serialize-query [query] @@ -80,10 +85,11 @@ (array.join (array.list flattened-object) "&")) (fn collect-form [params category] - {:query (str.trim (or (get-query-string params "query") "")) - :tags (filter #(~= "" $2) (or params.tags [category])) - :site (str.trim (or (get-query-string params "site") "")) - :sort (str.trim (or (get-query-string params "sort") "")) + {:query (or (get-query-string params "query") "") + :tags (map #(sanitize-input $2) + (filter #(~= "" $2) (or params.tags [category]))) + :site (or (get-query-string params "site") "") + :sort (or (get-query-string params "sort") "") :min-price (get-query-number params "min-price") :max-price (get-query-number params "max-price") :price-per (= "on" (get-query-string params "price-per"))}) |