From 8f0e15029c18a8bdadfa1d1a2b884cd3480b3b74 Mon Sep 17 00:00:00 2001 From: Lephe Date: Thu, 8 Jul 2021 10:59:13 +0200 Subject: [PATCH] utils: add a simple regex-based CSS validator (#11) * Property name is [a-zA-Z-]+ * Value is anything but ;{}'" --- app/forms/trophy.py | 4 ++++ app/utils/validators/__init__.py | 9 ++++++++- 2 files changed, 12 insertions(+), 1 deletion(-) diff --git a/app/forms/trophy.py b/app/forms/trophy.py index 4a77b02..2558bd2 100644 --- a/app/forms/trophy.py +++ b/app/forms/trophy.py @@ -2,6 +2,7 @@ from flask_wtf import FlaskForm from wtforms import StringField, SubmitField, BooleanField from wtforms.validators import InputRequired, Optional from flask_wtf.file import FileField # Cuz' wtforms' FileField is shitty +import app.utils.validators class TrophyForm(FlaskForm): @@ -34,6 +35,9 @@ class TrophyForm(FlaskForm): css = StringField( 'CSS', description='CSS appliqué au titre, le cas échéant.', + validators=[ + app.utils.validators.css, + ], ) submit = SubmitField( 'Envoyer', diff --git a/app/utils/validators/__init__.py b/app/utils/validators/__init__.py index 08899e4..364d0c8 100644 --- a/app/utils/validators/__init__.py +++ b/app/utils/validators/__init__.py @@ -8,6 +8,8 @@ from app.utils.validators.file import * from app.utils.validators.name import * from app.utils.validators.password import * +import re + def email(form, email): member = Member.query.filter_by(email=email.data).first() @@ -30,8 +32,13 @@ def id_exists(object): def css(form, css): """Check if input is valid and sane CSS""" - pass + prop = r'[a-zA-Z-]+\s*:\s*[^;{}\'"]+' + stylesheet = rf'\s*(?:{prop};\s*)*{prop};?\s*' + if re.fullmatch(stylesheet, css.data) is None: + raise ValidationError('CSS invalide (les caractères ;{}\'" sont '+\ + 'interdits dans les valeurs)') + return True def own_title(form, title): # Everyone can use "Member"