summaryrefslogtreecommitdiff
path: root/lib/VNWeb/Validation.pm
AgeCommit message (Collapse)AuthorFilesLines
2023-12-04Stricter input validation for single-line fieldsYorhel1-0/+1
Tried some malicious multiline inputs, wasn't a big issue given that HTML doesn't render newlines, but could still be surprising in some places.
2023-11-30Fix escaping of backslash in search queriesYorhel1-2/+2
Fixes https://vndb.org/t2520.831
2023-10-10Validation: Remove "required" and be explicit about optional fieldsYorhel1-8/+8
See TUWF commit fd3d2ca6a18222dafaa13dbcb7a6ccce1c4d9e6e Fixes https://vndb.org/t2520.822 and a few related bugs. (I may have introduced a few new bugs with this, let's see...)
2023-05-24UserEdit rewrite part 3: split out admin functionality + sync login formYorhel1-1/+1
Turns out I *can* just merge all fields into the top-level edit object, but only if I split out the admin part of the form. Which makes sense, anyway, as it's much easier to keep the forms secure with those two functions separated.
2023-04-17Tracing fixes and other pointless stuffYorhel1-20/+0
2023-04-12Some JS/API/Mithril frameworking + rewrite Subscribe.elm into JSYorhel1-0/+20
Slowly preparing to get rid of Elm, starting with the easy stuff. This is the real test: let's see if I can write Javascript without introducing too many bugs. I wasted three days trying to figure out how to integrate and use Preact, only to come to the conclusion that I hate it. Its API has so many awkward issues and rough edges that it makes one wonder how it ever got so popular. So back to fiddling with mithril.js, which sure feels a lot better designed. I threw out its routing & request features so what's left is just a tiny vdom library - exactly what I wanted from Preact. The Subscribe widget code is kind of ugly, but that's unrelated to this Elm->JS rewrite. I might look into cleaning it up later.
2023-04-01Validation: Use onerror clause for searchquery validationYorhel1-1/+1
This way a URL with multiple ?q= parameters won't fail validation, it'll just assume there's no search query.
2023-03-30Validation: Add json serialization support to QueryString objectsYorhel1-0/+1
Requires TUWF commit f683126abd6ee17c6d868d3d8735b416c466f8af Fixes #42
2023-03-24Add search result counts for other DB types at search tabsYorhel1-8/+8
But with some limitations: - counts are only displayed if the search can be done with trigrams - The counts include hidden entries (will fix later for most types) - The counts ignore any saved filters
2023-03-24Fix adding VN/prod/staff entries with multiple titlesYorhel1-1/+10
I made a thinking error with the 'searchquerya' validation; multiple queries need to be OR'ed and thus can't be combined into a single SearchQuery object.
2023-03-24Validation: don't fail searchquery validation if it normalizes to nothingYorhel1-2/+2
2023-03-24Search backend changes: faster results with trigram index + rankingYorhel1-0/+67
With this ranking system, searching for titles like 'L' and 'ONE.' is now at least possible, and YU-NO at least shows up on the first page when searching for "yu no". The actual normalization and matching algorithm hasn't really changed, except that all search terms must now match a single title, but there's still a whole bunch of false positives. Ranking is not available through the API yet. The trigram index should make it possible to do site-wide searching at a more reasonable speed, I'll experiment with that later.
2023-01-17API2: Add listwrite permission & list management APIYorhel1-0/+33
2022-12-23Better 'noapi' support + fix formatting error in API2 docYorhel1-1/+1
2022-12-19API2: Expose user lengthvotes statsYorhel1-0/+10
2022-12-13API2: Fix 500 loading some code againYorhel1-1/+1
2022-12-03Switch to the HIBP password databaseYorhel1-7/+0
Currently has 851 million password hashes, taking about 8G of space with the current approach. It's simple and fast, so should be worth it. inb4 complains about "why can't I use my password anymore!?"
2022-12-03API2: Slightly better error responses + include CORS headers in errorsYorhel1-0/+4
Fixes #37.
2022-10-08API2: Initial experimentsYorhel1-4/+4
It's looking pretty powerful and functional already.
2022-08-24Use libloc to add IP location information to the DBYorhel1-0/+20
This should save me considerable time in finding duplicate account voters.
2022-01-20Validation: Fix authorization of thread edits by creatorYorhel1-1/+3
Broken since 8c1fcdb94b46373c4e9c8d533e645edf6aba6f7a (!?)
2021-11-29Move undefbool validation to TUWF for better Elm interopYorhel1-2/+0
Requires upgrading TUWF to commit cbff0b7e7841ffce68cacea763fe3e59385f73e4
2021-11-29Releases: Allow "uncensored" flag to be unknownYorhel1-1/+1
2021-11-07Add mod option to set deletion reason for forum postsYorhel1-1/+1
2021-10-28Allow uppercase characters in usernamesYorhel1-1/+17
Usernames are now case-insensitive and name changes and new registrations are now checked for homograph attacks.
2021-07-28Users: remove "imgmod" permission flag, use "dbmod" for thatYorhel1-1/+1
2021-06-28Add a few global lockdown modesYorhel1-3/+3
2021-03-01SQL: vndbid data type conversion for most DB entriesYorhel1-3/+3
I had wanted to split this up into multiple commits and roll out in stages, but couldn't really find a natural way to do so. There are several places that take a generic identifier and expect it to work the same for all entries they support, so changing one entry at a time wasn't going to be any easier. Only the tags & traits haven't been updated yet, I'll convert those later. While this is a major change and affects a lot of code, the individual changes are all pretty simple. I'm surprised how much code did not have to be updated at all. No doubt I've missed a few places, though, so this commit will almost certainly break something.
2021-02-20Disallow tag creation when bannedYorhel1-1/+1
2021-01-04v2rw: Some cleanup; Move some functionality out of vndb.pl; Move config out ↵Yorhel1-1/+6
of tuwf->{..} Config had been in a separate config->{..} object for a while now, old code doesn't need it anymore so we can finally get rid of the tuwf->{..} compact. vndb.pl is not really the place for library code, so moved that around. The old imgpath() and imgurl() functions weren't used anymore, so could be safely replaced with the new functions that take the new vndbid format. (All this to make it easier to write separate scripts that call into VNDB::/VNWeb:: code as a library)
2020-11-21AdvSearch: Add more tag weights + formalize query formats a bit moreYorhel1-0/+3
Tag weights are in 0.2 increments, to keep the selection list short enough. https://vndb.org/t14995.5 This (again) breaks the query encoding format, but provides a means for filters to define their own compact query encoding instead of having to force their fully normalized value in some way that it also somehow fits the compact form. This allowed me to save one character on the tag filter encoding by using a Tuple value rather than Triple. I don't foresee any other uses for Triples, so removed that as value type.
2020-11-18Validation: Fix setting html5 pattern for vndbidsYorhel1-1/+1
Even if it the server accepts a regular number as well, the form expects the input to be a proper identifier.
2020-11-15Advsearch: Add release date filterYorhel1-0/+10
This required some changes to the query model and encoded form, since it doing this with only <= and => operators is too limited. I changed the compact encoding of strings to only encode the length in the type field for specific (common) lengths and fallback to an end-of-string character for everything else. This leaves room for more custom types.
2020-11-07AdvSearch: Add developer filterYorhel1-2/+5
First attempt to add filters that reference database entries. Will need to be refined.
2020-09-27v2rw/TagEdit: Rewrite tag edit form to elmYorhel1-0/+8
It's still missing a few mod features, will add those later.
2020-09-10v2rw/filters: Add experimental validation + move compat to VNWebYorhel1-0/+4
This is a minor start towards rewriting the filter logic in the new v2rw code. Filters were never validated before (I didn't have a good framework for it - now I do) and invalid filters would result in a 500. The new validation code is not yet applied, but failed validations will be logged so that I can see if it's working correctly. I mean, what better way to test than to throw it in production? I'll write new (and more flexible) SQL generation functions for these filters later, so that v2rw code can get filtered results and I can make a start on rewriting the pages that depend on the functionality. The validation schema can also be used to validate the filters stored in the DB, so I can use it to get rid of the complex handling of stored invalid filters.
2020-08-18Reviews: Also fix editing permission checkYorhel1-1/+1
2020-08-07reviews: Add submit/edit formsYorhel1-0/+11
2020-07-09User::Edit: Remove "show_nsfw" setting from profile + deprecate NSFW flagsYorhel1-1/+1
2020-07-01Char::Edit: Abstract & revamp image voting UIYorhel1-0/+5
The image voting is now handled separately from form submission and image IDs are validated when changed. This abstraction is hopefully also usable for the VN form.
2020-05-26Make use of new tuwf->req() feature for session & view storageYorhel1-21/+19
Auto-wiping request-local storage is easier and more reliable than using hooks. (See TUWF commit 7cc84ca99b1d93f7f08cc95e9a776f1926e80417)
2020-04-26User::Edit: Restructure form to allow non-usermods to edit some permissionsYorhel1-1/+1
dbmods can now change other users' "edit" permission, tagmods "tag", etc. As I hinted to from be5ee198129301d84912380ed8d1636ad32f68b3 This required the user edit form to be restructured a bit so only people with the proper permissions get to see the proper form sections.
2020-04-20Strengthen ?view= query parameter security with a CSRF tokenYorhel1-3/+16
Easier than moderating the site to prevent people from creating internal links to sensitive pages. It also turns out that SameSite cookies are included when opening a bookmark (okayish) or clicking on a link from outside the browser (not okay), this protects against those scenarios as well.
2020-04-14imgflag: Make image browser public + add NSFW warningYorhel1-6/+10
Decided to make the "vote difference" sort option a non-moderator feature, too. It's too useful to hide, I think. The NSFW warning makes use of the 'show_nsfw' setting and the viewget/viewset machinery to do this somewhat safely. In the future I suppose this would use a "Show Explicit / Brutal images by default" setting.
2020-04-13Fix input validation of Wikidata IDs + fix "id" upper boundYorhel1-1/+1
The 'id' validation is to be used for internal VNDB ids only and associativity of << and - were different from what I had expected.
2020-04-11Limit identifier input validation to the range supported by the "vndbid" typeYorhel1-1/+1
2020-04-06Releases::Edit: Fixup: Allow empty GTIN fieldYorhel1-1/+1
2020-04-06Release::Edit: Consider GTIN code as a string for validation/editingYorhel1-1/+1
Problem is that the 'uint' validation does not allow leading zeros, which are very valid as part of GTIN codes, thus resulting in an error when validating a normalized GTIN code.
2020-03-20Minor refactor: Move "samesite" cookie handling to vndb.plYorhel1-13/+4
As its now being used from two distinct places.
2020-03-18Validation: Remove diagnostic log + make view=0 removing workYorhel1-2/+1
Crawlers unsurprisingly hit that protection a lot. I've not seen any problems so far, the pages loads fine for everyone else.