diff options
Diffstat (limited to 'ctl.c')
-rw-r--r-- | ctl.c | 49 |
1 files changed, 47 insertions, 2 deletions
@@ -21,6 +21,23 @@ printdate(int timestamp) printf(buf); } +/* Print HTML-escaped string. */ +void +printhtml(char *s) +{ + char *t; + + for(t = s; *t; t++) + switch(*t){ + case '&': printf("&"); break; + case '\"': printf("""); break; + case '\'': printf("'"); break; + case '<': printf("<"); break; + case '>': printf(">"); break; + default: printf("%c", *t); + } +} + /* * The `new' functions provide a way to add a new attachment/post/user. * On GET, they show a form. On POST, they insert the posted information @@ -39,6 +56,7 @@ newuser() { char *confirm, *hlite, msg[128], *name, *full, *p, *pass, *v; char title[] = "New User"; + int i; *msg = 0; confirm = hlite = name = full = pass = NULL; @@ -73,8 +91,14 @@ newuser() } /* Decode URL-encoded fields. */ + if(name && *name) + name[urldecode(name, -1)] = 0; + if(full && *full) + full[urldecode(full, -1)] = 0; + if(pass && *pass) + pass[urldecode(pass, -1)] = 0; - /* Restrain lengths of decoded fields. */ + /* Constrain lengths of decoded fields. */ if(name && *name && strlen(name)-1 > MAXUSERNAME){ hlite = strdup("name"); snprintf(msg, 128, "Username longer than %d characters", @@ -94,13 +118,34 @@ newuser() goto err; } +#define ISVIS(c) ((unsigned int)c >= 20) +#define ISALNUM(c) (c>='A' && c<='Z' || c>='a' && c<='z' || c>='0' && c<='9') + + /* Constrain character sets. */ + for(i = 0; name[i]; i++) + if(!ISVIS(name[i]) || !(name[i] == '_' || ISALNUM(name[i]))){ + hlite = strdup("name"); + snprintf(msg, 128, + "Username may only contain ASCII letters, " + "numbers and underscores."); + goto err; + } + for(i = 0; full[i]; i++) + if(!ISVIS(full[i])){ + fprintf(stderr, "%d\n", full[i]); + hlite = strdup("full"); + snprintf(msg, 128, + "Full name may only contain visible characters"); + goto err; + } + /* Ensure all required fields are there. */ if(!name || !*name || !pass || !*pass){ hlite = (!name || !*name)? strdup("name"): strdup("pass"); snprintf(msg, 128, "Required field missing"); goto err; } - + if(pass && confirm && strcmp(pass, confirm) != 0){ snprintf(msg, 128, "Passwords do not match"); goto err; |