utils: add a simple regex-based CSS validator (#11)

* Property name is [a-zA-Z-]+
* Value is anything but ;{}'"

app/forms/trophy.py

@@ -2,6 +2,7 @@ from flask_wtf import FlaskForm
 from wtforms import StringField, SubmitField, BooleanField
 from wtforms.validators import InputRequired, Optional
 from flask_wtf.file import FileField  # Cuz' wtforms' FileField is shitty
+import app.utils.validators
 
 
 class TrophyForm(FlaskForm):
@@ -34,6 +35,9 @@ class TrophyForm(FlaskForm):
     css = StringField(
         'CSS',
         description='CSS appliqué au titre, le cas échéant.',
+        validators=[
+            app.utils.validators.css,
+        ],
     )
     submit = SubmitField(
         'Envoyer',

app/utils/validators/__init__.py

@@ -8,6 +8,8 @@ from app.utils.validators.file import *
 from app.utils.validators.name import *
 from app.utils.validators.password import *
 
+import re
+
 
 def email(form, email):
     member = Member.query.filter_by(email=email.data).first()
@@ -30,8 +32,13 @@ def id_exists(object):
 
 def css(form, css):
     """Check if input is valid and sane CSS"""
-    pass
+    prop = r'[a-zA-Z-]+\s*:\s*[^;{}\'"]+'
+    stylesheet = rf'\s*(?:{prop};\s*)*{prop};?\s*'
 
+    if re.fullmatch(stylesheet, css.data) is None:
+        raise ValidationError('CSS invalide (les caractères ;{}\'" sont '+\
+            'interdits dans les valeurs)')
+    return True
 
 def own_title(form, title):
     # Everyone can use "Member"