more html_escape
This commit is contained in:
parent
51c73e2fb3
commit
a88ab15b35
2 changed files with 17 additions and 11 deletions
|
|
@ -273,9 +273,6 @@ let () =
|
|||
(* TODO: Is this safe? *)
|
||||
(*TODO fix bad link if post in other thread*)
|
||||
let parse_comment comment =
|
||||
let comment = String.trim comment in
|
||||
let comment = Dream.html_escape comment in
|
||||
|
||||
let handle_word w =
|
||||
let trim_w = String.trim w in
|
||||
(* '>' is '>' after html_escape *)
|
||||
|
|
@ -320,6 +317,7 @@ let parse_comment comment =
|
|||
(line, cited_posts)
|
||||
in
|
||||
|
||||
let comment = String.trim comment in
|
||||
let lines = String.split_on_char '\n' comment in
|
||||
let lines, cited_posts =
|
||||
List.fold_left
|
||||
|
|
@ -527,12 +525,17 @@ let upload_post post =
|
|||
Ok post_id
|
||||
|
||||
let make_reply ~comment ?image ~tags ~parent_id nick =
|
||||
if String.length comment > 10000 then
|
||||
let comment = Dream.html_escape comment in
|
||||
let tags = Dream.html_escape tags in
|
||||
if Option.is_none (Uuidm.of_string parent_id) then
|
||||
Error "invalid thread id"
|
||||
else if String.length comment > 10000 then
|
||||
Error "invalid comment"
|
||||
else
|
||||
let image =
|
||||
match image with
|
||||
| Some (Some image_name, image_content) -> Some (image_name, image_content)
|
||||
| Some (Some image_name, image_content) ->
|
||||
Some (Dream.html_escape image_name, image_content)
|
||||
| Some (None, image_content) ->
|
||||
(* make up random name if no name was given *)
|
||||
let image_name = Uuidm.to_string (Uuidm.v4_gen random_state ()) in
|
||||
|
|
@ -570,12 +573,16 @@ let make_reply ~comment ?image ~tags ~parent_id nick =
|
|||
upload_post reply
|
||||
|
||||
let make_op ~comment ~image ~tags ~subject ~lat ~lng ~board nick =
|
||||
let comment = Dream.html_escape comment in
|
||||
let tags = Dream.html_escape tags in
|
||||
let subject = Dream.html_escape subject in
|
||||
if String.length comment > 10000 then
|
||||
Error "invalid comment"
|
||||
else
|
||||
let image =
|
||||
match image with
|
||||
| Some image_name, image_content -> (image_name, image_content)
|
||||
| Some image_name, image_content ->
|
||||
(Dream.html_escape image_name, image_content)
|
||||
| None, image_content ->
|
||||
(* make up random name if no name was given *)
|
||||
let image_name = Uuidm.to_string (Uuidm.v4_gen random_state ()) in
|
||||
|
|
|
|||
|
|
@ -92,7 +92,7 @@ let register ~email ~nick ~password =
|
|||
let valid_nick =
|
||||
String.length nick < 64
|
||||
&& String.length nick > 0
|
||||
&& String.escaped nick = nick
|
||||
&& Dream.html_escape nick = nick
|
||||
in
|
||||
|
||||
let valid_email =
|
||||
|
|
@ -165,8 +165,8 @@ let profile request =
|
|||
| Some nick -> Format.sprintf "Hello %s !" nick
|
||||
|
||||
let update_bio bio nick =
|
||||
let valid = true in
|
||||
(* TODO check bio len and FORBIDEN WORDS *)
|
||||
let bio = Dream.html_escape bio in
|
||||
let valid = String.length bio < 10000 in
|
||||
if not valid then
|
||||
Error "Not biologic"
|
||||
else
|
||||
|
|
@ -201,8 +201,7 @@ let upload_avatar files nick =
|
|||
match files with
|
||||
| [] -> Error "No file provided"
|
||||
| [ (_, content) ] -> (
|
||||
let valid = true in
|
||||
if not valid then
|
||||
if not (is_valid_image content) then
|
||||
Error "Invalid image"
|
||||
else
|
||||
let res = Db.exec Q.upload_avatar (content, nick) in
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue