Sanitize parameters on user edit page (fixes #289)

2026-01-25 00:00:36 -05:00 · 2022-04-04 03:20:52 +00:00
parent d1de8b7a4e
commit ebe2c8efed
3 changed files with 11 additions and 3 deletions
--- a/src/routes/admin.cr
+++ b/src/routes/admin.cr
@@ -1,3 +1,5 @@
+require "sanitize"
+
 struct AdminRouter
  def initialize
    get "/admin" do |env|
@@ -14,13 +16,13 @@ struct AdminRouter
    end

    get "/admin/user/edit" do |env|
-      username = env.params.query["username"]?
+      sanitizer = Sanitize::Policy::Text.new
+      username = env.params.query["username"]?.try { |s| sanitizer.process s }
      admin = env.params.query["admin"]?
      if admin
        admin = admin == "true"
      end
-      error = env.params.query["error"]?
-      current_user = get_username env
+      error = env.params.query["error"]?.try { |s| sanitizer.process s }
      new_user = username.nil? && admin.nil?
      layout "user-edit"
    end