Escape rendered suggestion content and validate URLs
This commit is contained in:
@@ -164,6 +164,13 @@ internal static class EndpointHelpers
|
||||
return data[8..].StartsWith(brandBytes);
|
||||
}
|
||||
|
||||
public static bool IsValidHttpUrl(string? url)
|
||||
{
|
||||
if (string.IsNullOrWhiteSpace(url)) return true; // empty is allowed
|
||||
if (!Uri.TryCreate(url, UriKind.Absolute, out var uri)) return false;
|
||||
return uri.Scheme is "http" or "https";
|
||||
}
|
||||
|
||||
public static async Task<bool> IsAdmin(HttpContext ctx, AppDbContext db, IConfiguration config)
|
||||
{
|
||||
var player = await GetAuthenticatedPlayer(ctx, db);
|
||||
|
||||
@@ -57,6 +57,10 @@ public static class SuggestEndpoints
|
||||
{
|
||||
return Results.BadRequest(new { error = "Screenshot URL could not be validated as an image." });
|
||||
}
|
||||
if (!EndpointHelpers.IsValidHttpUrl(request.GameUrl))
|
||||
return Results.BadRequest(new { error = "Game URL must be http or https." });
|
||||
if (!EndpointHelpers.IsValidHttpUrl(request.YoutubeUrl))
|
||||
return Results.BadRequest(new { error = "YouTube URL must be http or https." });
|
||||
|
||||
if (!ValidatePlayers(request.MinPlayers, request.MaxPlayers, out var playersError))
|
||||
return Results.BadRequest(new { error = playersError });
|
||||
@@ -160,6 +164,10 @@ public static class SuggestEndpoints
|
||||
{
|
||||
return Results.BadRequest(new { error = "Screenshot URL could not be validated as an image." });
|
||||
}
|
||||
if (!EndpointHelpers.IsValidHttpUrl(request.GameUrl))
|
||||
return Results.BadRequest(new { error = "Game URL must be http or https." });
|
||||
if (!EndpointHelpers.IsValidHttpUrl(request.YoutubeUrl))
|
||||
return Results.BadRequest(new { error = "YouTube URL must be http or https." });
|
||||
|
||||
if (!ValidatePlayers(request.MinPlayers, request.MaxPlayers, out var playersError))
|
||||
return Results.BadRequest(new { error = playersError });
|
||||
|
||||
Reference in New Issue
Block a user