From 23466bca222f60ca13038d36b4160bf212682e31 Mon Sep 17 00:00:00 2001
From: unwox <me@unwox.com>
Date: Wed, 6 Nov 2024 23:47:35 +0600
Subject: sanitize user input

---
 bin/serve.fnl | 24 +++++++++++++++---------
 1 file changed, 15 insertions(+), 9 deletions(-)

(limited to 'bin')

diff --git a/bin/serve.fnl b/bin/serve.fnl
index dde1138..8855120 100644
--- a/bin/serve.fnl
+++ b/bin/serve.fnl
@@ -47,6 +47,11 @@
     (string.gsub "&quot;" "\"")
     (string.gsub "&amp;" "&"))))
 
+(fn sanitize-input [input]
+  (if input
+    (str.trim (input:gsub "[=()<>']" ""))
+    nil))
+
 (fn category-menu-path [category]
   (. {"Красный чай" "red-tea"
       "Шен пуэр" "sheng-puer"
@@ -62,15 +67,15 @@
           (. query key)
           (. query key 1)
           (< 0 (# (. query key 1))))
-    (. query key 1)
+    (sanitize-input (. query key 1))
     nil))
 
 (fn get-query-number [query key]
   (if (and query
-          (. query key)
-          (. query key 1)
-          (< 0 (# (. query key 1))))
-    (tonumber (. query key 1))
+           (. query key)
+           (. query key 1)
+           (< 0 (# (. query key 1))))
+    (tonumber (sanitize-input (. query key 1)))
     nil))
 
 (fn serialize-query [query]
@@ -80,10 +85,11 @@
   (array.join (array.list flattened-object) "&"))
 
 (fn collect-form [params category]
-  {:query (str.trim (or (get-query-string params "query") ""))
-   :tags (filter #(~= "" $2) (or params.tags [category]))
-   :site (str.trim (or (get-query-string params "site") ""))
-   :sort (str.trim (or (get-query-string params "sort") ""))
+  {:query (or (get-query-string params "query") "")
+   :tags (map #(sanitize-input $2)
+              (filter #(~= "" $2) (or params.tags [category])))
+   :site (or (get-query-string params "site") "")
+   :sort (or (get-query-string params "sort") "")
    :min-price (get-query-number params "min-price")
    :max-price (get-query-number params "max-price")
    :price-per (= "on" (get-query-string params "price-per"))})
-- 
cgit v1.2.3