Input sanitisation in userpages and user settings

app/v1/self.go

@@ -58,6 +58,12 @@ type userSettingsData struct {
 func UsersSelfSettingsPOST(md common.MethodData) common.CodeMessager {
 	var d userSettingsData
 	md.RequestData.Unmarshal(&d)
+
+	// input sanitisation
+	d.UsernameAKA = common.SanitiseString(d.UsernameAKA)
+	d.CustomBadge.Name = common.SanitiseString(d.CustomBadge.Name)
+	d.FavouriteMode = intPtrIn(0, d.FavouriteMode, 3)
+
 	q := new(common.UpdateQuery).
 		Add("s.username_aka", d.UsernameAKA).
 		Add("s.favourite_mode", d.FavouriteMode).
@@ -114,3 +120,16 @@ WHERE u.id = ?`, md.ID()).Scan(
 	}
 	return r
 }
+
+func intPtrIn(x int, y *int, z int) *int {
+	if y == nil {
+		return nil
+	}
+	if *y > z {
+		return nil
+	}
+	if *y < x {
+		return nil
+	}
+	return y
+}

app/v1/user.go

@@ -345,7 +345,8 @@ func UserSelfUserpagePOST(md common.MethodData) common.CodeMessager {
 	if d.Data == nil {
 		return ErrMissingField("data")
 	}
-	_, err := md.DB.Exec("UPDATE users_stats SET userpage_content = ? WHERE id = ? LIMIT 1", *d.Data, md.ID())
+	cont := common.SanitiseString(*d.Data)
+	_, err := md.DB.Exec("UPDATE users_stats SET userpage_content = ? WHERE id = ? LIMIT 1", cont, md.ID())
 	if err != nil {
 		md.Err(err)
 	}