etherpad-lite/src/node/hooks/express/padurlsanitize.js

const padManager = require('../../db/PadManager');
const url = require('url');

exports.expressCreateServer = function (hook_name, args, cb) {
  // redirects browser to the pad's sanitized url if needed. otherwise, renders the html
  args.app.param('pad', async (req, res, next, padId) => {
    // ensure the padname is valid and the url doesn't end with a /
    if (!padManager.isValidPadId(padId) || /\/$/.test(req.url)) {
      res.status(404).send('Such a padname is forbidden');
      return;
    }

    const sanitizedPadId = await padManager.sanitizePadId(padId);

    if (sanitizedPadId === padId) {
      // the pad id was fine, so just render it
      next();
    } else {
      // the pad id was sanitized, so we redirect to the sanitized version
      let real_url = sanitizedPadId;
      real_url = encodeURIComponent(real_url);
      const query = url.parse(req.url).query;
      if (query) real_url += `?${query}`;
      res.header('Location', real_url);
      res.status(302).send(`You should be redirected to <a href="${real_url}">${real_url}</a>`);
    }
  });
  return cb();
};
lint: Run `eslint --fix` on `src/` 2020-11-23 13:24:19 -05:00			`const padManager = require('../../db/PadManager');`
			`const url = require('url');`
Bugfix for not loading plugins until after db, plus moved padursanitize into own module 2012-02-24 23:38:37 +01:00
Renamed functions to match hook names 2012-02-25 16:53:15 +01:00			`exports.expressCreateServer = function (hook_name, args, cb) {`
prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// redirects browser to the pad's sanitized url if needed. otherwise, renders the html`
lint: Run `eslint --fix` on `src/` 2020-11-23 13:24:19 -05:00			`args.app.param('pad', async (req, res, next, padId) => {`
prepare to async: trivial reformatting This change is only cosmetic. Its aim is do make it easier to understand the async changes that are going to be merged later on. It was extracted from the original work from Ray Bellis. To verify that nothing has changed, you can run the following command on each file touched by this commit: npm install uglify-es diff --unified <(uglify-js --beautify bracketize <BEFORE.js>) <(uglify-js --beautify bracketize <AFTER.js>) This is a complete script that does the same automatically (works from a mercurial clone): ```bash #!/usr/bin/env bash set -eu REVISION=<THIS_REVISION> PARENT_REV=$(hg identify --rev "${REVISION}" --template '{p1rev}') FILE_LIST=$(hg status --no-status --change ${REVISION}) UGLIFYJS="node_modules/uglify-es/bin/uglifyjs" for FILE_NAME in ${FILE_LIST[@]}; do echo "Checking ${FILE_NAME}" diff --unified \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${PARENT_REV}" "${FILE_NAME}")) \ <("${UGLIFYJS}" --beautify bracketize <(hg cat --rev "${REVISION}" "${FILE_NAME}")) done ``` 2019-02-08 23:20:57 +01:00			`// ensure the padname is valid and the url doesn't end with a /`
			`if (!padManager.isValidPadId(padId) \|\| /\/$/.test(req.url)) {`
fix the rest of the deprecation warnings 2015-04-10 14:10:55 -05:00			`res.status(404).send('Such a padname is forbidden');`
padurlsanitize: early return, no functional changes 2018-08-29 01:38:55 +02:00			`return;`
Bugfix for not loading plugins until after db, plus moved padursanitize into own module 2012-02-24 23:38:37 +01:00			`}`
padurlsanitize: early return, no functional changes 2018-08-29 01:38:55 +02:00
lint: Run `eslint --fix` on `src/` 2020-11-23 13:24:19 -05:00			`const sanitizedPadId = await padManager.sanitizePadId(padId);`
padurlsanitize.js: rewritten to consume promises 2019-01-23 16:36:28 +00:00
			`if (sanitizedPadId === padId) {`
			`// the pad id was fine, so just render it`
			`next();`
			`} else {`
			`// the pad id was sanitized, so we redirect to the sanitized version`
lint: Run `eslint --fix` on `src/` 2020-11-23 13:24:19 -05:00			`let real_url = sanitizedPadId;`
padurlsanitize.js: rewritten to consume promises 2019-01-23 16:36:28 +00:00			`real_url = encodeURIComponent(real_url);`
lint: Run `eslint --fix` on `src/` 2020-11-23 13:24:19 -05:00			`const query = url.parse(req.url).query;`
			if (query) real_url += `?${query}`;
padurlsanitize.js: rewritten to consume promises 2019-01-23 16:36:28 +00:00			`res.header('Location', real_url);`
lint: Run `eslint --fix` on `src/` 2020-11-23 13:24:19 -05:00			res.status(302).send(`You should be redirected to <a href="${real_url}">${real_url}</a>`);
padurlsanitize.js: rewritten to consume promises 2019-01-23 16:36:28 +00:00			`}`
Bugfix for not loading plugins until after db, plus moved padursanitize into own module 2012-02-24 23:38:37 +01:00			`});`
hooks: Call the callback when done If a hook function neither calls the callback nor returns a (non-undefined) value then there's no way for the hook system to know if/when the hook function has finished. 2020-10-10 22:51:26 -04:00			`return cb();`
lint: Run `eslint --fix` on `src/` 2020-11-23 13:24:19 -05:00			`};`