intrn(back-end): fix the regex for matching banned tags

lemredd · Nov 14, 2022 · 6647ac3 · 6647ac3
1 parent e052678
commit 6647ac3
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 1 deletion.
diff --git a/common_back-end/constants/regex.ts b/common_back-end/constants/regex.ts
@@ -36,5 +36,5 @@ export const fileTypeDescription = "be a valid MIME type"
 export const channelName = /^\w+$/u
 export const channelNameDescription = "have alphanumeric or underscore characters only"
 
-export const postContent = /^.+<(script).+?>.+<\/\1{1}>.+$/u
+export const postContent = /^.*(?!<script.*?>.*?<\/script.*>)$/gmu
 export const postContentDescription = "have no banned tags"
diff --git a/routes/api/post/create.post.spec.ts b/routes/api/post/create.post.spec.ts
@@ -46,6 +46,47 @@ describe("Controller: POST /api/post", () => {
 		requester.expectSuccess()
 	})
 
+	it("cannot accept with dangerous tags", async() => {
+		const controller = new Controller()
+		const { validations } = controller
+		const bodyValidation = validations[BODY_VALIDATION_INDEX]
+		const bodyValidationFunction = bodyValidation.intermediate.bind(bodyValidation)
+		const post = await new PostFactory()
+		.content(() => "<script>Hello world</script>")
+		.makeOne()
+		requester.customizeRequest({
+			"body": {
+				"data": {
+					"attributes": {
+						"attachedRoleID": post.attachedRoleID,
+						"content": post.content
+					},
+					"relationships": {
+						"poster": {
+							"data": {
+								"id": String(post.poster?.id),
+								"type": "user"
+							}
+						},
+						"posterRole": {
+							"data": {
+								"id": String(post.posterRole?.id),
+								"type": "role"
+							}
+						}
+					},
+					"type": "post"
+				}
+			}
+		})
+
+		await requester.runMiddleware(bodyValidationFunction)
+
+		const body = requester.expectFailure(ErrorBag).toJSON()
+		expect(body).toHaveLength(1)
+		expect(body).toHaveProperty("0.source.pointer", "data.attributes.content")
+	})
+
 	it("cannot accept invalid data", async() => {
 		const controller = new Controller()
 		const { validations } = controller

diff --git a/routes/api/post/update(id).patch.spec.ts b/routes/api/post/update(id).patch.spec.ts
@@ -42,9 +42,52 @@ describe("Controller: PATCH /api/post/:id", () => {
 		})
 
 		await requester.runMiddleware(bodyValidationFunction)
+
 		requester.expectSuccess()
 	})
 
+	it("cannot accept with dangerous tags", async() => {
+		const controller = new Controller()
+		const { validations } = controller
+		const bodyValidation = validations[BODY_VALIDATION_INDEX]
+		const bodyValidationFunction = bodyValidation.intermediate.bind(bodyValidation)
+		const post = await new PostFactory().insertOne()
+		const newPost = await new PostFactory()
+		.content(() => "<script>Hello world</script>")
+		.makeOne()
+		requester.customizeRequest({
+			"body": {
+				"data": {
+					"attributes": {
+						"content": newPost.content
+					},
+					"id": String(post.id),
+					"relationships": {
+						"poster": {
+							"data": {
+								"id": String(post.poster?.id),
+								"type": "user"
+							}
+						},
+						"posterRole": {
+							"data": {
+								"id": String(post.posterRole?.id),
+								"type": "role"
+							}
+						}
+					},
+					"type": "post"
+				}
+			}
+		})
+
+		await requester.runMiddleware(bodyValidationFunction)
+
+		const body = requester.expectFailure(ErrorBag).toJSON()
+		expect(body).toHaveLength(1)
+		expect(body).toHaveProperty("0.source.pointer", "data.attributes.content")
+	})
+
 	it("cannot accept invalid data", async() => {
 		const controller = new Controller()
 		const { validations } = controller