Merge e82924b4eb into e02054d6fe

doc/api/http_api.md

@@ -295,10 +295,10 @@ Group pads are normal pads, but with the name schema GROUPID$PADNAME. A security
 #### createPad(padID [, text])
  * API >= 1
 
-creates a new (non-group) pad.  Note that if you need to create a group Pad, you should call **createGroupPad**.
+creates a new (non-group) pad.  Note that if you need to create a group Pad, you should call **createGroupPad**. Returns the actual PadID that was recorded (Checked against a regex so that nothing breaks when accessed.)
 
 *Example returns:*
-  * `{code: 0, message:"ok", data: null}`
+  * `{code: 0, message:"ok", data: {"padID":"asdf_as_d"}}`
   * `{code: 1, message:"pad does already exist", data: null}`
 
 #### getRevisionsCount(padID)

src/node/db/API.js

@@ -331,12 +331,12 @@ exports.createPad = function(padID, text, callback)
     callback(new customError("createPad can't create group pads","apierror"));
     return;
   }
-  
+  padID = padID.replace(/[;\/\?:@&=\+\$,{}\\\^\[\]\`\|%<>\*#]/gi, '_'); 
   //create pad
   getPadSafe(padID, false, text, function(err)
   {
     if(ERR(err, callback)) return;
-    callback();
+    callback(null, {padID: padID});
   });
 }
 

src/node/hooks/express/specialpages.js

@@ -27,7 +27,11 @@ exports.expressCreateServer = function (hook_name, args, cb) {
   //serve pad.html under /p
   args.app.get('/p/:pad', function(req, res, next)
   {    
-    res.send(eejs.require("ep_etherpad-lite/templates/pad.html", {req: req}));
+    /*if(!!(req.params.pad.match(/[;\/\?:@&=\+\$,{}\\\^\[\]\`\|%<>\*#]/gi))){
+      res.send(404, "Such a padname is forbidden");
+    }else{*/
+      res.send(eejs.require("ep_etherpad-lite/templates/pad.html", {req: req}));
+    //}
   });
 
   //serve timeslider.html under /p/$padname/timeslider
@@ -35,7 +39,16 @@ exports.expressCreateServer = function (hook_name, args, cb) {
   {
     res.send(eejs.require("ep_etherpad-lite/templates/timeslider.html", {req: req}));
   });
-
+  args.app.get('/p/:pad/*', function(req, res, next)
+  {
+    if(req.url.split("/")[3] == "timeslider"){
+      //Just a safeguard, sometimes these URLs get messed up and should be
+      //actually rerouted to the timeslider instead of an error page.
+      res.send(eejs.require("ep_etherpad-lite/templates/timeslider.html", {req: req}));
+    }else{
+      res.send(404, "Such a padname is forbidden");
+    }
+  });
   //serve favicon.ico from all path levels except as a pad name
   args.app.get( /\/favicon.ico$/, function(req, res)
   {

src/templates/index.html

@@ -41,7 +41,7 @@
               if(language) document.documentElement.lang = language[1];
             })(document)
         </script>
-        <script type="text/javascript" src="static/js/l10n.js" async></script>
+        <script type="text/javascript" src="static/js/l10n.js"></script>
 
         <style>
             html, body {
@@ -168,11 +168,11 @@
 
         <script src="static/custom/index.js"></script>
         <script> 
-      
             function go2Name() 
             {
-                var padname = document.getElementById("padname").value;
+              
-                padname.length > 0 ? window.location = "p/" + padname : alert("Please enter a name")
+                var padname = document.getElementById("padname").value.replace(/[;\/\?:@&=\+\$,{}\\\^\[\]\`\|%<>\*#]/gi, '_');
+                padname.length > 0 ? window.location = "p/" + padname : alert("Please enter a name");
             }
  
             function go2Random()