1 files changed, 15 insertions, 8 deletions

diff --git a/abrechenbarkeit.lua b/abrechenbarkeit.lua
index d4eacc3..8eedccd 100755
--- a/abrechenbarkeit.lua
+++ b/abrechenbarkeit.lua
@@ -112,9 +112,13 @@ local function respond(status, title, body)
     ))
 end
 
+local function error_box(message)
+    return string.format([[<div class="notif error"><p>Error: %s</p></div>]], message)
+end
+
 local function respond_error(message)
     respond(400, "Error", function()
-        print(string.format("<p>Error: %s</p>", escape(message)))
+        print(error_box(message))
     end)
 end
 
@@ -213,10 +217,6 @@ local function get_active_users()
     return users
 end
 
-local function error_box(message)
-    return string.format([[<div class="notif error"><p>Error: %s</p></div>]], message)
-end
-
 local function r_user_post(username)
     local data = form_data()
     local amount = tonumber(data.amount)
@@ -425,10 +425,17 @@ local function r_index()
     end)
 end
 
+local function validate_username(username)
+	-- disallow leading or traling whitespace
+	return username ~= nil
+	    and username:match("^([%w_ -]+)$") ~= nil
+        and username:match("^%s") == nil
+        and username:match("%s$") == nil
+end
+
 local function r_create_user()
     local username = query.create_user
-	-- gsub to remove whitespace. disallows username made up entirely of whitespace
-    if username:gsub("%s+", ""):match("^([%w_ -]+)$") == nil then
+    if not validate_username(username) then
         return respond_error("invalid username " .. username)
     end
     return redirect(string.format("/%s", urlencode(username)))
@@ -550,7 +557,7 @@ if path == "/" then
     end
 else
     local username = extract_username()
-    if username == nil then
+    if username == nil or not validate_username(username) then
         return respond_error("username invalid")
     elseif query.log then
         return r_log(username)