Sanitizing Usernames to Prevent URL Encoding Exploits #1

Merged
videotoaster merged 3 commits from Danii/morsel:main into main 2023-01-10 13:48:17 +00:00
2 changed files with 3 additions and 1 deletions

View File

@ -34,7 +34,8 @@ def logout():
def register():
error = None
if request.method == 'POST':
if (not uexist(request.form['username'])) and len(request.form['password']) >= 8 and request.form['username'].strip() != "":
if ((not uexist(request.form['username'])) and len(request.form['password']) >= 8
and request.form['username'].strip() != "" and not any(illegal_character in request.form['username'] for illegal_character in "%&.+?;")):
newuser(request.form['username'], request.form['password'])
return redirect('/login?success', 303)
elif len(request.form['password']) < 8:

View File

@ -17,6 +17,7 @@
<form action="/reg" method="POST">
<ul>
<li>Password must be at least 8 characters long.</li>
<li>Username must not contain any of the following characters: %&.+?;</li>
<li>Username may not contain offensive content.</li>
<li>Your username cannot be changed later.</li>
</ul>