Open programsam opened 6 years ago
Started off thinking of this as apostrophes, but with what I know about security, really this is a matter of escaping any and all admin input — or is it? Should you be able to include links in the jam description?? I don’t really think so.
One thing’s for sure. I’ve run parseInt
on jam IDs wherever possible, but that just means an exception will occur if you enter a non-number… protects us from some gnarly input but it should fail more gracefully.
https://www.npmjs.com/package/validator Shows promise for this.
At present I’m using Number.isNaN()
for this. Makes sense to handle this in the express routers and not in processing. Processing can assume valid input — should be a cross-cutting concern in a single method somewhere though.
Handling it with NaNs is useful for making sure no exception occurs.
If you submit a request body that is not valid JSON, we do not currently handle that gracefully.
We are using prepared statements everywhere, so this is another “guiding principle.” The old BINK doesn’t like apostrophes, particularly in notes and things like that. So this is to say there should be tests that they work in all fields.