From e3ad89032738cfd963d7d9ac732b693b6c62ff3c Mon Sep 17 00:00:00 2001
From: Evan Jarrett <evan@evanjarrett.com>
Date: Mon, 3 Nov 2025 21:46:45 -0600
Subject: [PATCH] appview/knots, appview/spindles: strip protocol and @ symbol
 from user inputs

Signed-off-by: Evan Jarrett <evan@evanjarrett.com>
---
 appview/knots/knots.go                                   | 9 +++++++++
 .../pages/templates/knots/fragments/addMemberModal.html  | 2 +-
 appview/pages/templates/repo/settings/access.html        | 2 +-
 .../templates/spindles/fragments/addMemberModal.html     | 2 +-
 appview/spindles/spindles.go                             | 9 +++++++++
 5 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/appview/knots/knots.go b/appview/knots/knots.go
index a5d41ed8..4dad147b 100644
--- a/appview/knots/knots.go
+++ b/appview/knots/knots.go
@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"net/http"
 	"slices"
+	"strings"
 	"time"
 
 	"github.com/go-chi/chi/v5"
@@ -145,6 +146,12 @@ func (k *Knots) register(w http.ResponseWriter, r *http.Request) {
 	}
 
 	domain := r.FormValue("domain")
+	// Strip protocol, trailing slashes, and whitespace
+	// Rkey cannot contain slashes
+	domain = strings.TrimSpace(domain)
+	domain = strings.TrimPrefix(domain, "https://")
+	domain = strings.TrimPrefix(domain, "http://")
+	domain = strings.TrimSuffix(domain, "/")
 	if domain == "" {
 		k.Pages.Notice(w, noticeId, "Incomplete form.")
 		return
@@ -526,6 +533,7 @@ func (k *Knots) addMember(w http.ResponseWriter, r *http.Request) {
 	}
 
 	member := r.FormValue("member")
+	member = strings.TrimPrefix(member, "@")
 	if member == "" {
 		l.Error("empty member")
 		k.Pages.Notice(w, noticeId, "Failed to add member, empty form.")
@@ -626,6 +634,7 @@ func (k *Knots) removeMember(w http.ResponseWriter, r *http.Request) {
 	}
 
 	member := r.FormValue("member")
+	member = strings.TrimPrefix(member, "@")
 	if member == "" {
 		l.Error("empty member")
 		k.Pages.Notice(w, noticeId, "Failed to remove member, empty form.")
diff --git a/appview/pages/templates/knots/fragments/addMemberModal.html b/appview/pages/templates/knots/fragments/addMemberModal.html
index be619a0f..cd594c55 100644
--- a/appview/pages/templates/knots/fragments/addMemberModal.html
+++ b/appview/pages/templates/knots/fragments/addMemberModal.html
@@ -34,7 +34,7 @@
     id="member-did-{{ .Id }}"
     name="member"
     required
-    placeholder="@foo.bsky.social"
+    placeholder="foo.bsky.social"
   />
   <div class="flex gap-2 pt-2">
     <button 
diff --git a/appview/pages/templates/repo/settings/access.html b/appview/pages/templates/repo/settings/access.html
index 3122ab6f..56da3ec9 100644
--- a/appview/pages/templates/repo/settings/access.html
+++ b/appview/pages/templates/repo/settings/access.html
@@ -89,7 +89,7 @@
     id="add-collaborator"
     name="collaborator"
     required
-    placeholder="@foo.bsky.social"
+    placeholder="foo.bsky.social"
   />
   <div class="flex gap-2 pt-2">
     <button
diff --git a/appview/pages/templates/spindles/fragments/addMemberModal.html b/appview/pages/templates/spindles/fragments/addMemberModal.html
index e8930714..d8266524 100644
--- a/appview/pages/templates/spindles/fragments/addMemberModal.html
+++ b/appview/pages/templates/spindles/fragments/addMemberModal.html
@@ -36,7 +36,7 @@
     id="member-did-{{ .Id }}"
     name="member"
     required
-    placeholder="@foo.bsky.social"
+    placeholder="foo.bsky.social"
   />
   <div class="flex gap-2 pt-2">
     <button 
diff --git a/appview/spindles/spindles.go b/appview/spindles/spindles.go
index 7c97e967..dcc660c9 100644
--- a/appview/spindles/spindles.go
+++ b/appview/spindles/spindles.go
@@ -6,6 +6,7 @@ import (
 	"log/slog"
 	"net/http"
 	"slices"
+	"strings"
 	"time"
 
 	"github.com/go-chi/chi/v5"
@@ -146,6 +147,12 @@ func (s *Spindles) register(w http.ResponseWriter, r *http.Request) {
 	}
 
 	instance := r.FormValue("instance")
+	// Strip protocol, trailing slashes, and whitespace
+	// Rkey cannot contain slashes
+	instance = strings.TrimSpace(instance)
+	instance = strings.TrimPrefix(instance, "https://")
+	instance = strings.TrimPrefix(instance, "http://")
+	instance = strings.TrimSuffix(instance, "/")
 	if instance == "" {
 		s.Pages.Notice(w, noticeId, "Incomplete form.")
 		return
@@ -484,6 +491,7 @@ func (s *Spindles) addMember(w http.ResponseWriter, r *http.Request) {
 	}
 
 	member := r.FormValue("member")
+	member = strings.TrimPrefix(member, "@")
 	if member == "" {
 		l.Error("empty member")
 		s.Pages.Notice(w, noticeId, "Failed to add member, empty form.")
@@ -613,6 +621,7 @@ func (s *Spindles) removeMember(w http.ResponseWriter, r *http.Request) {
 	}
 
 	member := r.FormValue("member")
+	member = strings.TrimPrefix(member, "@")
 	if member == "" {
 		l.Error("empty member")
 		s.Pages.Notice(w, noticeId, "Failed to remove member, empty form.")
-- 
2.43.0