Closed agilbert closed 7 years ago
You need to use a regex to fully validate the year and month filters in their launder methods. Otherwise a malicious regular expression can bake the CPU (or maybe nastier stuff, I haven't thought about it super hard...)
There's also self.apos.utils.regExpQuote and you should actually use both since hyphens have special meaning in regexps and won't actually match as you have it now.
So validate them with:
/^\d\d\d\d\$/
/^\d\d\d\d\-\d\d$/
And then when you actually build your regexp quote the value with self.apos.utils.regExpQuote.
@boutell To accomplish this should we be adding some sort of generic launder.regex
method to our launder library?
I don't think so. The purpose of launder is to make sure data is what it says on the label, not to escape things for compatibility with something else. self.apos.utils.regExpQuote
is already available for situations in which you want to exactly match a given string as part of a regular expression you are building.
I feel like the
choices
provided by the month filter are not likely to be used too frequently... maybe there is a different design there that makes sense?Either way, I'm using the
year
stuff successfully on my project now.