diff options
| author | Stefan <mu.stefan@googlemail.com> | 2014-11-08 17:26:40 +0100 |
|---|---|---|
| committer | Stefan <mu.stefan@googlemail.com> | 2014-11-08 17:26:40 +0100 |
| commit | 573a912e4f1b481fca8f3c8146972e78f76278e2 (patch) | |
| tree | 2b0d680f242f1defcc92197dc6427210c5a67296 /src | |
| parent | e1fe1f0f9cf45b193c49dd159cb15124bcd8e743 (diff) | |
| download | etherpad-lite-573a912e4f1b481fca8f3c8146972e78f76278e2.zip | |
Add check for special url characters to createPad API function
Diffstat (limited to 'src')
| -rw-r--r-- | src/node/db/API.js | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/src/node/db/API.js b/src/node/db/API.js index 4a912368..79f5fbeb 100644 --- a/src/node/db/API.js +++ b/src/node/db/API.js @@ -544,12 +544,21 @@ Example returns: exports.createPad = function(padID, text, callback) { //ensure there is no $ in the padID - if(padID && padID.indexOf("$") != -1) + if(padID) { - callback(new customError("createPad can't create group pads","apierror")); - return; + if(padID.indexOf("$") != -1) + { + callback(new customError("createPad can't create group pads","apierror")); + return; + } + //check for url special characters + else if(padID.match(/(\/|\?|&|#)/)) + { + callback(new customError("malformed padID: Remove special characters","apierror")); + return; + } } - + //create pad getPadSafe(padID, false, text, function(err) { |