back round 0 view raw

appview/knots, appview/spindles: strip protocol and @ symbol from user inputs #748

merged

opened by

evan.jarrett.net 1 month ago targeting master from evan.jarrett.net/core: input-sanitization

Summary#

Fixes input sanitization issues in spindle/knot registration and member management forms.

Changes#

Strip http://, https://, and trailing slashes from spindle/knot instance/domain inputs
Strip leading @ symbol from member inputs (add/remove) in both spindles and knots
Update form placeholders to show foo.bsky.social instead of @foo.bsky.social

Why#

Users naturally enter protocols (https://localhost:6555) or @ symbols (@evan.jarrett.net) based on UI placeholders, but the AT Protocol identity parser rejects these. This causes confusing failures during registration and member management.

options

unified split

Changed files

+21 -3

appview

knots

knots.go

pages

templates

knots

fragments

addMemberModal.html

repo

settings

access.html

spindles

fragments

addMemberModal.html

spindles

spindles.go

appview/knots/knots.go

···

       6
       6
        
       	"log/slog"

     

       7
       7
        
       	"net/http"

     

       8
       8
        
       	"slices"

     

       9
       9
       +
       	"strings"

     

       9
       10
        
       	"time"

     

       10
       11
        
       

     

       11
       12
        
       	"github.com/go-chi/chi/v5"

     
···

       145
       146
        
       	}

     

       146
       147
        
       

     

       147
       148
        
       	domain := r.FormValue("domain")

     

       149
       149
       +
       	// Strip protocol, trailing slashes, and whitespace

     

       150
       150
       +
       	// Rkey cannot contain slashes

     

       151
       151
       +
       	domain = strings.TrimSpace(domain)

     

       152
       152
       +
       	domain = strings.TrimPrefix(domain, "https://")

     

       153
       153
       +
       	domain = strings.TrimPrefix(domain, "http://")

     

       154
       154
       +
       	domain = strings.TrimSuffix(domain, "/")

     

       148
       155
        
       	if domain == "" {

     

       149
       156
        
       		k.Pages.Notice(w, noticeId, "Incomplete form.")

     

       150
       157
        
       		return

     
···

       526
       533
        
       	}

     

       527
       534
        
       

     

       528
       535
        
       	member := r.FormValue("member")

     

       536
       536
       +
       	member = strings.TrimPrefix(member, "@")

     

       529
       537
        
       	if member == "" {

     

       530
       538
        
       		l.Error("empty member")

     

       531
       539
        
       		k.Pages.Notice(w, noticeId, "Failed to add member, empty form.")

     
···

       626
       634
        
       	}

     

       627
       635
        
       

     

       628
       636
        
       	member := r.FormValue("member")

     

       637
       637
       +
       	member = strings.TrimPrefix(member, "@")

     

       629
       638
        
       	if member == "" {

     

       630
       639
        
       		l.Error("empty member")

     

       631
       640
        
       		k.Pages.Notice(w, noticeId, "Failed to remove member, empty form.")

+1 -1

appview/pages/templates/knots/fragments/addMemberModal.html

···

       34
       34
        
           id="member-did-{{ .Id }}"

     

       35
       35
        
           name="member"

     

       36
       36
        
           required

     

       37
       37
       -
           placeholder="@foo.bsky.social"

     

       37
       37
       +
           placeholder="foo.bsky.social"

     

       38
       38
        
         />

     

       39
       39
        
         <div class="flex gap-2 pt-2">

     

       40
       40
        
           <button

+1 -1

appview/pages/templates/repo/settings/access.html

···

       89
       89
        
           id="add-collaborator"

     

       90
       90
        
           name="collaborator"

     

       91
       91
        
           required

     

       92
       92
       -
           placeholder="@foo.bsky.social"

     

       92
       92
       +
           placeholder="foo.bsky.social"

     

       93
       93
        
         />

     

       94
       94
        
         <div class="flex gap-2 pt-2">

     

       95
       95
        
           <button

+1 -1

appview/pages/templates/spindles/fragments/addMemberModal.html

···

       36
       36
        
           id="member-did-{{ .Id }}"

     

       37
       37
        
           name="member"

     

       38
       38
        
           required

     

       39
       39
       -
           placeholder="@foo.bsky.social"

     

       39
       39
       +
           placeholder="foo.bsky.social"

     

       40
       40
        
         />

     

       41
       41
        
         <div class="flex gap-2 pt-2">

     

       42
       42
        
           <button

appview/spindles/spindles.go

···

       6
       6
        
       	"log/slog"

     

       7
       7
        
       	"net/http"

     

       8
       8
        
       	"slices"

     

       9
       9
       +
       	"strings"

     

       9
       10
        
       	"time"

     

       10
       11
        
       

     

       11
       12
        
       	"github.com/go-chi/chi/v5"

     
···

       146
       147
        
       	}

     

       147
       148
        
       

     

       148
       149
        
       	instance := r.FormValue("instance")

     

       150
       150
       +
       	// Strip protocol, trailing slashes, and whitespace

     

       151
       151
       +
       	// Rkey cannot contain slashes

     

       152
       152
       +
       	instance = strings.TrimSpace(instance)

     

       153
       153
       +
       	instance = strings.TrimPrefix(instance, "https://")

     

       154
       154
       +
       	instance = strings.TrimPrefix(instance, "http://")

     

       155
       155
       +
       	instance = strings.TrimSuffix(instance, "/")

     

       149
       156
        
       	if instance == "" {

     

       150
       157
        
       		s.Pages.Notice(w, noticeId, "Incomplete form.")

     

       151
       158
        
       		return

     
···

       484
       491
        
       	}

     

       485
       492
        
       

     

       486
       493
        
       	member := r.FormValue("member")

     

       494
       494
       +
       	member = strings.TrimPrefix(member, "@")

     

       487
       495
        
       	if member == "" {

     

       488
       496
        
       		l.Error("empty member")

     

       489
       497
        
       		s.Pages.Notice(w, noticeId, "Failed to add member, empty form.")

     
···

       613
       621
        
       	}

     

       614
       622
        
       

     

       615
       623
        
       	member := r.FormValue("member")

     

       624
       624
       +
       	member = strings.TrimPrefix(member, "@")

     

       616
       625
        
       	if member == "" {

     

       617
       626
        
       		l.Error("empty member")

     

       618
       627
        
       		s.Pages.Notice(w, noticeId, "Failed to remove member, empty form.")