diff options
| -rwxr-xr-x | abrechenbarkeit.lua | 23 |
1 files changed, 15 insertions, 8 deletions
diff --git a/abrechenbarkeit.lua b/abrechenbarkeit.lua index d4eacc3..8eedccd 100755 --- a/abrechenbarkeit.lua +++ b/abrechenbarkeit.lua @@ -112,9 +112,13 @@ local function respond(status, title, body) )) end +local function error_box(message) + return string.format([[<div class="notif error"><p>Error: %s</p></div>]], message) +end + local function respond_error(message) respond(400, "Error", function() - print(string.format("<p>Error: %s</p>", escape(message))) + print(error_box(message)) end) end @@ -213,10 +217,6 @@ local function get_active_users() return users end -local function error_box(message) - return string.format([[<div class="notif error"><p>Error: %s</p></div>]], message) -end - local function r_user_post(username) local data = form_data() local amount = tonumber(data.amount) @@ -425,10 +425,17 @@ local function r_index() end) end +local function validate_username(username) + -- disallow leading or traling whitespace + return username ~= nil + and username:match("^([%w_ -]+)$") ~= nil + and username:match("^%s") == nil + and username:match("%s$") == nil +end + local function r_create_user() local username = query.create_user - -- gsub to remove whitespace. disallows username made up entirely of whitespace - if username:gsub("%s+", ""):match("^([%w_ -]+)$") == nil then + if not validate_username(username) then return respond_error("invalid username " .. username) end return redirect(string.format("/%s", urlencode(username))) @@ -550,7 +557,7 @@ if path == "/" then end else local username = extract_username() - if username == nil then + if username == nil or not validate_username(username) then return respond_error("username invalid") elseif query.log then return r_log(username) |