more html_escape
This commit is contained in:
parent
51c73e2fb3
commit
a88ab15b35
2 changed files with 17 additions and 11 deletions
|
|
@ -273,9 +273,6 @@ let () =
|
||||||
(* TODO: Is this safe? *)
|
(* TODO: Is this safe? *)
|
||||||
(*TODO fix bad link if post in other thread*)
|
(*TODO fix bad link if post in other thread*)
|
||||||
let parse_comment comment =
|
let parse_comment comment =
|
||||||
let comment = String.trim comment in
|
|
||||||
let comment = Dream.html_escape comment in
|
|
||||||
|
|
||||||
let handle_word w =
|
let handle_word w =
|
||||||
let trim_w = String.trim w in
|
let trim_w = String.trim w in
|
||||||
(* '>' is '>' after html_escape *)
|
(* '>' is '>' after html_escape *)
|
||||||
|
|
@ -320,6 +317,7 @@ let parse_comment comment =
|
||||||
(line, cited_posts)
|
(line, cited_posts)
|
||||||
in
|
in
|
||||||
|
|
||||||
|
let comment = String.trim comment in
|
||||||
let lines = String.split_on_char '\n' comment in
|
let lines = String.split_on_char '\n' comment in
|
||||||
let lines, cited_posts =
|
let lines, cited_posts =
|
||||||
List.fold_left
|
List.fold_left
|
||||||
|
|
@ -527,12 +525,17 @@ let upload_post post =
|
||||||
Ok post_id
|
Ok post_id
|
||||||
|
|
||||||
let make_reply ~comment ?image ~tags ~parent_id nick =
|
let make_reply ~comment ?image ~tags ~parent_id nick =
|
||||||
if String.length comment > 10000 then
|
let comment = Dream.html_escape comment in
|
||||||
|
let tags = Dream.html_escape tags in
|
||||||
|
if Option.is_none (Uuidm.of_string parent_id) then
|
||||||
|
Error "invalid thread id"
|
||||||
|
else if String.length comment > 10000 then
|
||||||
Error "invalid comment"
|
Error "invalid comment"
|
||||||
else
|
else
|
||||||
let image =
|
let image =
|
||||||
match image with
|
match image with
|
||||||
| Some (Some image_name, image_content) -> Some (image_name, image_content)
|
| Some (Some image_name, image_content) ->
|
||||||
|
Some (Dream.html_escape image_name, image_content)
|
||||||
| Some (None, image_content) ->
|
| Some (None, image_content) ->
|
||||||
(* make up random name if no name was given *)
|
(* make up random name if no name was given *)
|
||||||
let image_name = Uuidm.to_string (Uuidm.v4_gen random_state ()) in
|
let image_name = Uuidm.to_string (Uuidm.v4_gen random_state ()) in
|
||||||
|
|
@ -570,12 +573,16 @@ let make_reply ~comment ?image ~tags ~parent_id nick =
|
||||||
upload_post reply
|
upload_post reply
|
||||||
|
|
||||||
let make_op ~comment ~image ~tags ~subject ~lat ~lng ~board nick =
|
let make_op ~comment ~image ~tags ~subject ~lat ~lng ~board nick =
|
||||||
|
let comment = Dream.html_escape comment in
|
||||||
|
let tags = Dream.html_escape tags in
|
||||||
|
let subject = Dream.html_escape subject in
|
||||||
if String.length comment > 10000 then
|
if String.length comment > 10000 then
|
||||||
Error "invalid comment"
|
Error "invalid comment"
|
||||||
else
|
else
|
||||||
let image =
|
let image =
|
||||||
match image with
|
match image with
|
||||||
| Some image_name, image_content -> (image_name, image_content)
|
| Some image_name, image_content ->
|
||||||
|
(Dream.html_escape image_name, image_content)
|
||||||
| None, image_content ->
|
| None, image_content ->
|
||||||
(* make up random name if no name was given *)
|
(* make up random name if no name was given *)
|
||||||
let image_name = Uuidm.to_string (Uuidm.v4_gen random_state ()) in
|
let image_name = Uuidm.to_string (Uuidm.v4_gen random_state ()) in
|
||||||
|
|
|
||||||
|
|
@ -92,7 +92,7 @@ let register ~email ~nick ~password =
|
||||||
let valid_nick =
|
let valid_nick =
|
||||||
String.length nick < 64
|
String.length nick < 64
|
||||||
&& String.length nick > 0
|
&& String.length nick > 0
|
||||||
&& String.escaped nick = nick
|
&& Dream.html_escape nick = nick
|
||||||
in
|
in
|
||||||
|
|
||||||
let valid_email =
|
let valid_email =
|
||||||
|
|
@ -165,8 +165,8 @@ let profile request =
|
||||||
| Some nick -> Format.sprintf "Hello %s !" nick
|
| Some nick -> Format.sprintf "Hello %s !" nick
|
||||||
|
|
||||||
let update_bio bio nick =
|
let update_bio bio nick =
|
||||||
let valid = true in
|
let bio = Dream.html_escape bio in
|
||||||
(* TODO check bio len and FORBIDEN WORDS *)
|
let valid = String.length bio < 10000 in
|
||||||
if not valid then
|
if not valid then
|
||||||
Error "Not biologic"
|
Error "Not biologic"
|
||||||
else
|
else
|
||||||
|
|
@ -201,8 +201,7 @@ let upload_avatar files nick =
|
||||||
match files with
|
match files with
|
||||||
| [] -> Error "No file provided"
|
| [] -> Error "No file provided"
|
||||||
| [ (_, content) ] -> (
|
| [ (_, content) ] -> (
|
||||||
let valid = true in
|
if not (is_valid_image content) then
|
||||||
if not valid then
|
|
||||||
Error "Invalid image"
|
Error "Invalid image"
|
||||||
else
|
else
|
||||||
let res = Db.exec Q.upload_avatar (content, nick) in
|
let res = Db.exec Q.upload_avatar (content, nick) in
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue