Fix URI encoding on register/login, also fix database escape bug
This commit is contained in:
calzoneman
parent
c7aac027dd
commit
b9e465b714
11
api.js
11
api.js
|
|
@ -235,7 +235,7 @@ module.exports = function (Server) {
|
|||
|
||||
handlePasswordReset: function (params, req, res) {
|
||||
var name = params.name || "";
|
||||
var email = unescape(params.email || "");
|
||||
var email = params.email || "";
|
||||
var ip = getIP(req);
|
||||
|
||||
var hash = false;
|
||||
|
|
@ -353,8 +353,11 @@ module.exports = function (Server) {
|
|||
var name = params.name || "";
|
||||
var pw = params.pw || "";
|
||||
var session = params.session || "";
|
||||
var img = unescape(params.profile_image || "");
|
||||
var text = unescape(params.profile_text || "");
|
||||
var img = params.profile_image || "";
|
||||
var text = params.profile_text || "";
|
||||
console.log(name);
|
||||
console.log(img);
|
||||
console.log(text);
|
||||
|
||||
var row = Auth.login(name, pw, session);
|
||||
if(!row) {
|
||||
|
|
@ -394,7 +397,7 @@ module.exports = function (Server) {
|
|||
handleEmailChange: function (params, req, res) {
|
||||
var name = params.name || "";
|
||||
var pw = params.pw || "";
|
||||
var email = unescape(params.email) || "";
|
||||
var email = params.email || "";
|
||||
// perhaps my email regex isn't perfect, but there's no freaking way
|
||||
// I'm implementing this monstrosity:
|
||||
// <http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html>
|
||||
|
|
|
|||
|
|
@ -86,6 +86,11 @@ function createQuery(template, args) {
|
|||
var idx = template.indexOf("?", last);
|
||||
var arg = args.shift();
|
||||
arg = sqlEscape(arg);
|
||||
// Stupid workaround because even if I call replace() with a string
|
||||
// and not a regex, '$' still holds special meaning
|
||||
// this actually replaces '$' with '$$'
|
||||
// What the hell, Javascript?
|
||||
arg = arg.replace(/\$/g, "$$$$");
|
||||
var first = template.substring(0, idx);
|
||||
template = first + template.substring(idx).replace("?", arg);
|
||||
last = idx + arg.length;
|
||||
|
|
|
|||
|
|
@ -15,7 +15,8 @@ var api = WEB_URL + "/api/json/";
|
|||
var loggedin = false;
|
||||
|
||||
if(uname && session) {
|
||||
var loginstr = "name=" + uname + "&session=" + session;
|
||||
var loginstr = "name=" + encodeURIComponent(uname)
|
||||
+ "&session=" + session;
|
||||
var url = api + "login?" + loginstr + "&callback=?";
|
||||
$.getJSON(url, function(data) {
|
||||
if(data.success) {
|
||||
|
|
@ -56,7 +57,7 @@ $("#email").click(makeTabCallback("#email", "#changeemailpane"));
|
|||
$("#profile").click(makeTabCallback("#profile", "#profilepane"));
|
||||
$("#profile").click(function() {
|
||||
if(uname != "") {
|
||||
$.getJSON(api + "getprofile?name=" + uname + "&callback=?", function(data) {
|
||||
$.getJSON(api + "getprofile?name=" + encodeURIComponent(uname) + "&callback=?", function(data) {
|
||||
if(data.success) {
|
||||
$("#profiletext").val(data.profile_text);
|
||||
$("#profileimg").val(data.profile_image);
|
||||
|
|
@ -107,8 +108,8 @@ $("#registerbtn").click(function() {
|
|||
|
||||
// Input valid, try registering
|
||||
var url = api + "register?" + [
|
||||
"name=" + name,
|
||||
"pw=" + pw
|
||||
"name=" + encodeURIComponent(name),
|
||||
"pw=" + encodeURIComponent(pw)
|
||||
].join("&") + "&callback=?";
|
||||
|
||||
$.getJSON(url, function(data) {
|
||||
|
|
@ -142,7 +143,8 @@ $("#loginbtn").click(function() {
|
|||
return;
|
||||
}
|
||||
uname = $("#loginusername").val();
|
||||
var loginstr = "name=" + uname + "&pw=" + $("#loginpw").val();
|
||||
var loginstr = "name=" + encodeURIComponent(uname)
|
||||
+ "&pw=" + encodeURIComponent($("#loginpw").val());
|
||||
var url = api + "login?" + loginstr + "&callback=?";
|
||||
$.getJSON(url, function(data) {
|
||||
if(data.success) {
|
||||
|
|
@ -202,9 +204,9 @@ $("#cpwbtn").click(function() {
|
|||
|
||||
// Input valid, try changing password
|
||||
var url = api + "changepass?" + [
|
||||
"name=" + name,
|
||||
"oldpw=" + oldpw,
|
||||
"newpw=" + newpw
|
||||
"name=" + encodeURIComponent(name),
|
||||
"oldpw=" + encodeURIComponent(oldpw),
|
||||
"newpw=" + encodeURIComponent(newpw)
|
||||
].join("&") + "&callback=?";
|
||||
$.getJSON(url, function(data) {
|
||||
if(data.success) {
|
||||
|
|
@ -253,11 +255,10 @@ $("#cebtn").click(function() {
|
|||
return;
|
||||
}
|
||||
|
||||
email = escape(email);
|
||||
var url = api + "setemail?" + [
|
||||
"name=" + name,
|
||||
"pw=" + pw,
|
||||
"email=" + email
|
||||
"name=" + encodeURIComponent(name),
|
||||
"pw=" + encodeURIComponent(pw),
|
||||
"email=" + encodeURIComponent(email)
|
||||
].join("&") + "&callback=?";
|
||||
$.getJSON(url, function(data) {
|
||||
if(data.success) {
|
||||
|
|
@ -284,10 +285,9 @@ $("#rpbtn").click(function() {
|
|||
var name = $("#rpusername").val();
|
||||
var email = $("#rpemail").val();
|
||||
|
||||
email = escape(email);
|
||||
var url = api + "resetpass?" + [
|
||||
"name=" + name,
|
||||
"email=" + email
|
||||
"name=" + encodeURIComponent(name),
|
||||
"email=" + encodeURIComponent(email)
|
||||
].join("&") + "&callback=?";
|
||||
$.getJSON(url, function(data) {
|
||||
$("#rpbtn").text("Send Reset");
|
||||
|
|
@ -309,15 +309,17 @@ $("#profilesave").click(function() {
|
|||
$("#profilepane").find(".alert-error").remove();
|
||||
$("#profilepane").find(".alert-success").remove();
|
||||
var img = $("#profileimg").val();
|
||||
/*
|
||||
img = escape(img).replace(/\//g, "%2F")
|
||||
.replace(/&/g, "%26")
|
||||
.replace(/=/g, "%3D")
|
||||
.replace(/\?/g, "%3F");
|
||||
*/
|
||||
var url = api + "setprofile?" + [
|
||||
"name=" + uname,
|
||||
"name=" + encodeURIComponent(uname),
|
||||
"session=" + session,
|
||||
"profile_image=" + img,
|
||||
"profile_text=" + escape($("#profiletext").val())
|
||||
"profile_image=" + encodeURIComponent(img),
|
||||
"profile_text=" + encodeURIComponent($("#profiletext").val())
|
||||
].join("&") + "&callback=?";
|
||||
|
||||
$.getJSON(url, function(data) {
|
||||
|
|
|
|||
|
|
@ -332,7 +332,8 @@ function setupCallbacks() {
|
|||
CLIENT.logged_in = true;
|
||||
socket.emit("acp-init");
|
||||
if(SESSION) {
|
||||
AUTH = "name=" + CLIENT.name + "&session=" + SESSION;
|
||||
AUTH = "name=" + encodeURIComponent(CLIENT.name)
|
||||
+ "&session=" + SESSION;
|
||||
createCookie("cytube_uname", CLIENT.name, 7);
|
||||
createCookie("cytube_session", SESSION, 7);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -49,7 +49,7 @@
|
|||
var uname = readCookie("cytube_uname") || "";
|
||||
var p = "";
|
||||
if(uname && session) {
|
||||
$.getJSON(WEB_URL+"/api/json/login?name="+uname+"&session="+session+"&callback=?", function(data) {
|
||||
$.getJSON(WEB_URL+"/api/json/login?name="+encodeURIComponent(uname)+"&session="+session+"&callback=?", function(data) {
|
||||
if(data.success) {
|
||||
$(".loginform").remove();
|
||||
createCookie("cytube_uname", uname, 7);
|
||||
|
|
@ -63,7 +63,8 @@
|
|||
var q = "";
|
||||
$("#login").click(function() {
|
||||
uname = $("#name").val();
|
||||
q = "name=" + $("#name").val() + "&pw=" + $("#pw").val();
|
||||
q = "name=" + encodeURIComponent($("#name").val())
|
||||
+ "&pw=" + encodeURIComponent($("#pw").val());
|
||||
$.getJSON(WEB_URL+"/api/json/login?"+q+"&callback=?", function(data) {
|
||||
if(data.success) {
|
||||
$(".loginform").remove();
|
||||
|
|
|
|||
|
|
@ -66,7 +66,9 @@
|
|||
window.addEventListener("message", respond, false);
|
||||
|
||||
$("#login").click(function() {
|
||||
$.getJSON(WEB_URL+"/api/json/login?name="+$("#username").val()+"&pw="+$("#pw").val()+"&callback=?", function(data) {
|
||||
var u = encodeURIComponent($("#username").val());
|
||||
var p = encodeURIComponent($("#pw").val());
|
||||
$.getJSON(WEB_URL+"/api/json/login?name="+u+"&pw="+p+"&callback=?", function(data) {
|
||||
data.uname = $("#username").val();
|
||||
source.postMessage("cytube-login:"+JSON.stringify(data), document.location);
|
||||
});
|
||||
|
|
|
|||
Loading…
Reference in a new issue