refactor: lift clothing input rules by safely escaping

2025-05-24 18:13:48 +02:00 · 2025-05-24 18:13:48 +02:00 · 513e8983b9
commit 513e8983b9
parent f1a22f83aa
2 changed files with 14 additions and 10 deletions
--- a/web/src/endpoints/clothing/mod.rs
+++ b/web/src/endpoints/clothing/mod.rs
@ -28,14 +28,6 @@ struct ReadClothingPartialTemplate {

 #[derive(Deserialize, Validate)]
 struct NewOrEditClothingForm {
-    #[garde(length(min=3), custom(alphanumeric_or_space))]
+    #[garde(length(min=3))]
    name: String,
 }
-
-fn alphanumeric_or_space(value: &str, _context: &()) -> garde::Result {
-    if value.chars().all(|c| c.is_alphanumeric() || c == ' ') {
-        return Ok(())
-    } else {
-        return Err(garde::Error::new("Eingabe enthält unerlaubte Zeichen. Erlaubt sind Buchstaben, Zahlen und Leerzeichen."));
-    }
-}
--- a/web/src/filters.rs
+++ b/web/src/filters.rs
@ -29,7 +29,8 @@ where
    T: Display,
 {
    if let Some(val) = option {
-        let s = format!(r#"value="{val}""#);
+        let escaped = escape_html(val.to_string());
+        let s = format!(r#"value="{escaped}""#);
        return Ok(s);
    }

@ -94,3 +95,14 @@ pub fn fmt_time(v: &NaiveTime, format: DateTimeFormat) -> askama::Result<String>

    Ok(v.format(format_string).to_string())
 }
+
+fn escape_html(string: String) -> String {
+    let s = string
+        .replace('&', "&amp;")
+        .replace('<', "&lt;")
+        .replace('>', "&gt;")
+        .replace('"', "&quot;")
+        .replace('\'', "&#x27;");
+
+    s
+}