From 4cf3c6a6162101e5cabb8768b9ebab6655fc2270 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Thu, 30 May 2019 18:32:47 -0500 Subject: [PATCH] HTML-escape strings to '/api/v1/auth/preferences' --- src/invidious/users.cr | 32 +++++++++++++++++++++++++------- 1 file changed, 25 insertions(+), 7 deletions(-) diff --git a/src/invidious/users.cr b/src/invidious/users.cr index b1af9d05..298d6b0d 100644 --- a/src/invidious/users.cr +++ b/src/invidious/users.cr @@ -40,10 +40,10 @@ struct Preferences begin result = [] of String value.read_array do - result << value.read_string + result << HTML.escape(value.read_string) end rescue ex - result = [value.read_string, ""] + result = [HTML.escape(value.read_string), ""] end result @@ -69,11 +69,11 @@ struct Preferences node.raise "Expected scalar, not #{item.class}" end - result << item.value + result << HTML.escape(item.value) end rescue ex if node.is_a?(YAML::Nodes::Scalar) - result = [node.value, ""] + result = [HTML.escape(node.value), ""] else result = ["", ""] end @@ -83,6 +83,24 @@ struct Preferences end end + module EscapeString + def self.to_json(value : String, json : JSON::Builder) + json.string value + end + + def self.from_json(value : JSON::PullParser) : String + HTML.escape(value.read_string) + end + + def self.to_yaml(value : String, yaml : YAML::Nodes::Builder) + yaml.scalar value + end + + def self.from_yaml(ctx : YAML::ParseContext, node : YAML::Nodes::Node) : String + HTML.escape(node.value) + end + end + json_mapping({ annotations: {type: Bool, default: CONFIG.default_user_preferences.annotations}, annotations_subscribed: {type: Bool, default: CONFIG.default_user_preferences.annotations_subscribed}, @@ -95,13 +113,13 @@ struct Preferences latest_only: {type: Bool, default: CONFIG.default_user_preferences.latest_only}, listen: {type: Bool, default: CONFIG.default_user_preferences.listen}, local: {type: Bool, default: CONFIG.default_user_preferences.local}, - locale: {type: String, default: CONFIG.default_user_preferences.locale}, + locale: {type: String, default: CONFIG.default_user_preferences.locale, converter: EscapeString}, max_results: {type: Int32, default: CONFIG.default_user_preferences.max_results}, notifications_only: {type: Bool, default: CONFIG.default_user_preferences.notifications_only}, - quality: {type: String, default: CONFIG.default_user_preferences.quality}, + quality: {type: String, default: CONFIG.default_user_preferences.quality, converter: EscapeString}, redirect_feed: {type: Bool, default: CONFIG.default_user_preferences.redirect_feed}, related_videos: {type: Bool, default: CONFIG.default_user_preferences.related_videos}, - sort: {type: String, default: CONFIG.default_user_preferences.sort}, + sort: {type: String, default: CONFIG.default_user_preferences.sort, converter: EscapeString}, speed: {type: Float32, default: CONFIG.default_user_preferences.speed}, thin_mode: {type: Bool, default: CONFIG.default_user_preferences.thin_mode}, unseen_only: {type: Bool, default: CONFIG.default_user_preferences.unseen_only},