Enforce HTTPS for new profile images

This commit is contained in:
Calvin Montgomery 2016-12-13 22:44:23 -08:00
parent 53d385f53e
commit 8719527a31
2 changed files with 78 additions and 15 deletions

View File

@ -13,6 +13,7 @@ var Config = require("../config");
var Server = require("../server");
var session = require("../session");
var csrf = require("./csrf");
const url = require("url");
/**
* Handles a GET request for /account/edit
@ -396,6 +397,25 @@ function handleAccountProfilePage(req, res) {
});
}
function validateProfileImage(image, callback) {
var prefix = "Invalid URL for profile image: ";
var link = image.trim();
if (!link) {
process.nextTick(callback, null, link);
} else {
var data = url.parse(link);
if (!data.protocol || data.protocol !== 'https:') {
process.nextTick(callback,
new Error(prefix + " URL must begin with 'https://'"));
} else if (!data.host) {
process.nextTick(callback,
new Error(prefix + "missing hostname"));
} else {
process.nextTick(callback, null, link);
}
}
}
/**
* Handles a POST request to edit a profile
*/
@ -410,8 +430,21 @@ function handleAccountProfile(req, res) {
});
}
var image = req.body.image;
var text = req.body.text;
var rawImage = String(req.body.image).substring(0, 255);
var text = String(req.body.text).substring(0, 255);
validateProfileImage(rawImage, (error, image) => {
if (error) {
db.users.getProfile(req.user.name, function (err, profile) {
var errorMessage = err || error.message;
sendPug(res, "account-profile", {
profileImage: profile ? profile.image : "",
profileText: profile ? profile.text : "",
profileError: errorMessage
});
});
return;
}
db.users.setProfile(req.user.name, { image: image, text: text }, function (err) {
if (err) {
@ -429,6 +462,7 @@ function handleAccountProfile(req, res) {
profileError: false
});
});
});
}
/**

View File

@ -35,13 +35,42 @@ html(lang="en")
input(type="hidden", name="_csrf", value=csrfToken)
.form-group
label.control-label(for="profileimage") Image
input#profileimage.form-control(type="text", name="image")
input#profileimage.form-control(type="text", name="image", maxlength="255")
.form-group
label.control-label(for="profiletext") Text
textarea#profiletext.form-control(cols="10", name="text")= profileText
textarea#profiletext.form-control(cols="10", name="text", maxlength="255")= profileText
button.btn.btn-primary.btn-block(type="submit") Save
include footer
+footer()
script(type="text/javascript").
$("#profileimage").val("#{profileImage}");
var $profileImage = $("#profileimage");
$profileImage.val("#{profileImage}");
var hasError = false;
function validateImage() {
var value = $profileImage.val().trim();
$profileImage.val(value);
if (!/^$|^https:/.test(value)) {
hasError = true;
$profileImage.parent().addClass("has-error");
var $error = $("#profileimage-error");
if ($error.length === 0) {
$error = $("<p/>")
.attr({ id: "profileimage-error" })
.addClass("text-danger")
.html("Profile image must be a URL beginning with <code>https://</code>")
.insertAfter($profileImage);
}
} else {
hasError = false;
$profileImage.parent().removeClass("has-error");
$("#profileimage-error").remove();
}
}
$("form").submit(function (event) {
validateImage();
if (hasError) {
event.preventDefault();
}
});