From 6684639f48a53ded2ee7e69203c9ec684c42b4cc Mon Sep 17 00:00:00 2001
From: fatchan <tom@69420.me>
Date: Fri, 2 Aug 2019 17:25:45 +0000
Subject: [PATCH] enforce alphanumeric for board URIs

---
 controllers/forms.js   | 9 +++++++--
 views/pages/create.pug | 2 +-
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/controllers/forms.js b/controllers/forms.js
index f5a63790..d2195f60 100644
--- a/controllers/forms.js
+++ b/controllers/forms.js
@@ -159,8 +159,13 @@ router.post('/create', csrf, verifyCaptcha, (req, res, next) => {
 	}
 
 	//check exist
-	if (req.body.uri && req.body.uri.length > 50) {
-		errors.push('URI must be 50 characters or less');
+	if (req.body.uri) {
+		if (req.body.uri.length > 50) {
+			errors.push('URI must be 50 characters or less');
+		}
+		if (!req.body.uri.match(/^[a-zA-Z0-9]+$/)) {
+			errors.push('URI must contain a-z 0-9 only');
+		}
 	}
 	if (req.body.name && req.body.name.length > 50) {
 		errors.push('Name must be 50 characters or less');
diff --git a/views/pages/create.pug b/views/pages/create.pug
index 8a8c6fa8..7c42f607 100644
--- a/views/pages/create.pug
+++ b/views/pages/create.pug
@@ -10,7 +10,7 @@ block content
 			input(type='hidden' name='_csrf' value=csrf)
 			section.row
 				.label URI e.g. /uri/
-				input(type='text', name='uri', maxlength='50' required)
+				input(type='text', name='uri', maxlength='50' pattern='[a-zA-Z0-9]+' required title='alphanumeric only')
 			section.row
 				.label Name
 				input(type='text', name='name', maxlength='50' required)