Input sanitisation in userpages and user settings

2016-11-21 16:59:17 +01:00
parent 78a1c1d038
commit 20dba6cd86
4 changed files with 78 additions and 1 deletions
--- a/app/v1/user.go
+++ b/app/v1/user.go
@@ -345,7 +345,8 @@ func UserSelfUserpagePOST(md common.MethodData) common.CodeMessager {
 	if d.Data == nil {
 		return ErrMissingField("data")
 	}
-	_, err := md.DB.Exec("UPDATE users_stats SET userpage_content = ? WHERE id = ? LIMIT 1", *d.Data, md.ID())
+	cont := common.SanitiseString(*d.Data)
+	_, err := md.DB.Exec("UPDATE users_stats SET userpage_content = ? WHERE id = ? LIMIT 1", cont, md.ID())
 	if err != nil {
 		md.Err(err)
 	}