Skip to content

Commit ce871c0

Browse files
matboehmmatboehm
committed
Validate and escape values properly
1 parent 811c776 commit ce871c0

3 files changed

Lines changed: 48 additions & 17 deletions

File tree

core/entryController.js

Lines changed: 46 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -5,7 +5,8 @@ let formidable = require('formidable'),
55
fs = require('fs'),
66
crypto = require('crypto'),
77
resize = require('./resize'),
8-
mailer = require('./mailer');
8+
mailer = require('./mailer'),
9+
validator = require('validator');
910

1011
exports.getAll = function (req, res) {
1112
const ORDER_BY_DATE_ASC = 'asc',
@@ -194,8 +195,6 @@ exports.createEntry = function (req, res) {
194195
requiredFields = ['email', 'firstname', 'anon', 'message'],
195196
allowedFields = ['email', 'firstname', 'lastname', 'anon', 'message', 'country', 'beta', 'newsletter', 'pax'];
196197

197-
const messageMaxCharacters = 500;
198-
199198
form.uploadDir = __dirname + '/../uploads/';
200199
form.keepExtensions = true;
201200
form.maxFields = 5;
@@ -223,12 +222,53 @@ exports.createEntry = function (req, res) {
223222

224223
fields[[field]] = value;
225224
}
225+
if (field === 'firstname') {
226+
fields[[field]] = validator.escape(validator.trim(value));
227+
if (!validator.isLength(value, {min: 1, max: 200})) {
228+
errorFields.push('firstname');
229+
out['firstname'] = 'This field needs to have between 1 and 200 characters';
230+
}
231+
}
232+
if (field === 'lastname') {
233+
fields[[field]] = validator.escape(validator.trim(value));
234+
if (!validator.isLength(value, {max: 200})) {
235+
errorFields.push('lastname');
236+
out['lastname'] = 'Limit of 200 characters for this field exceeded';
237+
}
238+
}
239+
if (field === 'email') {
240+
fields[[field]] = validator.escape(validator.trim(value));
241+
if (!validator.isEmail(value)) {
242+
errorFields.push('email');
243+
out['email'] = 'No valid email address';
244+
}
245+
if (!validator.isLength(value, {max: 200})) {
246+
errorFields.push('email');
247+
out['message'] = 'Limit of 200 characters for this field exceeded';
248+
}
249+
}
250+
if (field === 'country') {
251+
fields[[field]] = validator.escape(validator.trim(value));
252+
if (!validator.isISO31661Alpha2(value)) {
253+
errorFields.push('country');
254+
out['country'] = 'No valid country code';
255+
}
256+
}
226257
if (field === 'message') {
227-
if ((String(value)).length > messageMaxCharacters) {
228-
errorFields.push(field);
229-
out[field] = 'Limit of ' + messageMaxCharacters + ' characters for this field exceeded';
258+
fields[[field]] = validator.escape(validator.trim(value));
259+
if (!validator.isLength(value, {max: 500})) {
260+
errorFields.push('message');
261+
out['message'] = 'Limit of 500 characters for this field exceeded';
230262
}
231263
}
264+
if (field === 'anon') {
265+
fields[[field]] = validator.toBoolean(validator.trim(value));
266+
if (!validator.isBoolean(String(value))) {
267+
errorFields.push('anon');
268+
out['message'] = 'No valid value';
269+
}
270+
}
271+
232272
}).on('file', function (field, file) {
233273
files.push({
234274
size: file.size,

package-lock.json

Lines changed: 0 additions & 9 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

package.json

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,14 +17,14 @@
1717
"ejs": "^2.7.4",
1818
"email-templates": "^7.0.5",
1919
"express": "^4.17.1",
20-
"express-validator": "^6.6.0",
2120
"formidable": "^1.2.2",
2221
"moment": "^2.27.0",
2322
"mysql": "^2.18.1",
2423
"nodemailer": "^4.7.0",
2524
"nodemailer-smtp-transport": "^2.7.4",
2625
"q": "^1.5.1",
27-
"sharp": "^0.25.4"
26+
"sharp": "^0.25.4",
27+
"validator": "^13.1.1"
2828
},
2929
"devDependencies": {
3030
"nodemon": "^2.0.4"

0 commit comments

Comments
 (0)