Added URL args validation.

2025-03-09 15:40:18 +00:00 · 2020-06-21 01:45:24 -07:00 · 2020-06-21 01:45:24 -07:00 · a7ea8fead5
commit a7ea8fead5
parent 16b25b04b0
6 changed files with 22 additions and 8 deletions
--- a/views/default-mobile.handlebars
+++ b/views/default-mobile.handlebars
@ -735,7 +735,10 @@
        for (var i in webState) { localStorage.setItem(i, webState[i]); }
        if (!webState.loctag) { delete localStorage.removeItem('loctag'); }

-        var args = parseUriArgs(), urlargs = args;
+        var urlargs = parseUriArgs();
+        if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
+        if (urlargs.locale && (isAlphaNumeric(urlargs.locale) == false)) { delete urlargs.locale; }
+        var args = urlargs;
        var debugLevel = parseInt('{{{debuglevel}}}');
        var features = parseInt('{{{features}}}');
        var sessionTime = parseInt('{{{sessiontime}}}');
--- a/views/default.handlebars
+++ b/views/default.handlebars
@ -1273,8 +1273,10 @@
                if (top != self && (loc == null || top.active == false)) { top.location = self.location; return; }
            }

-            // Fetch URL arguments
+            // Fetch URL arguments & do sanitation
            urlargs = parseUriArgs();
+            if (urlargs.key && (isAlphaNumeric(urlargs.key) == false)) { delete urlargs.key; }
+            if (urlargs.locale && (isAlphaNumeric(urlargs.locale) == false)) { delete urlargs.locale; }
            delete urlargs.viewmode;
            delete urlargs.gotonode;
            delete urlargs.gotomesh;
@ -1282,12 +1284,13 @@
            delete urlargs.gotougrp;

            // Fix links if a loginKey is used
-            if (urlargs.key) {
-                Q('termsLinkFooter').href += '?key=' + urlargs.key;
-            }
+            if (urlargs.key) { Q('termsLinkFooter').href += '?key=' + urlargs.key; }

            // Check if we are in debug mode
            args = parseUriArgs();
+            if (args.key && (isAlphaNumeric(args.key) == false)) { delete args.key; }
+            if (args.locale && (isAlphaNumeric(args.locale) == false)) { delete args.locale; }
+
            if (!args.locale) { var x = getstore('loctag', 0); if ((x != null) && (x != '*')) { args.locale = x; } }
            debugmode = args.debug;

--- a/views/messenger.handlebars
+++ b/views/messenger.handlebars
@ -42,9 +42,11 @@
        <input id="uploadFileInput" type="file" multiple style="display:none">
        <script type="text/javascript" onunload="onUnLoad()">
            var userInputFocus = 0;
-            var args = parseUriArgs();
            var socket = null;                  // Websocket object
            var state = 0;                      // Connection state. 0 = Disconnected, 1 = Connecting, 2 = Connected.
+            var args = parseUriArgs();
+            if (args.key && (isAlphaNumeric(args.key) == false)) { delete args.key; }
+            if (args.locale && (isAlphaNumeric(args.locale) == false)) { delete args.locale; }

            // WebRTC sessions and data, audio and video channels
            var random = Math.random();         // Selected random, larger value initiates WebRTC.