From a8bc0e55088cee1da223d1b783fbf96d3fe47684 Mon Sep 17 00:00:00 2001 From: Arnav Kumar <72879799+arnav-kr@users.noreply.github.com> Date: Thu, 22 Aug 2024 22:30:32 +0530 Subject: [PATCH 1/2] fix: css injection, estimated hour validation Fix potential point of CSS injection validate estimated hours to be a positive integer --- .../showcase/projects/[projectID]/edit.js | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/pages/api/arcade/showcase/projects/[projectID]/edit.js b/pages/api/arcade/showcase/projects/[projectID]/edit.js index de322882..ecba8cba 100644 --- a/pages/api/arcade/showcase/projects/[projectID]/edit.js +++ b/pages/api/arcade/showcase/projects/[projectID]/edit.js @@ -12,6 +12,25 @@ export default async function handler(req, res) { return res.status(400).json({ error: 'No body provided' }) } + // html color input value always gives a 6-char hex color + const colorRegex = /^#[0-9A-F]{6}$/i; + if(body.color !== "" && !(colorRegex.test(body.color))) { + return res + .status(400) + .json({ error: 'Invalid Color' }); + } + if(body.textColor !== "" && !(colorRegex.test(body.textColor))) { + return res + .status(400) + .json({ error: 'Invalid Text Color' }); + } + + if(body.hours <= 0) { + return res + .status(400) + .json({ error: 'Hours should be a positive integer' }); + } + const updatedFields = {} updatedFields['Name'] = body.title updatedFields['Estimated Hours'] = body.hours From ee090681d841d524c62b3bba6bdcd36d4f432ba6 Mon Sep 17 00:00:00 2001 From: Arnav Kumar <72879799+arnav-kr@users.noreply.github.com> Date: Thu, 22 Aug 2024 22:43:01 +0530 Subject: [PATCH 2/2] Update project-edit.js --- components/arcade/showcase/project-edit.js | 1 + 1 file changed, 1 insertion(+) diff --git a/components/arcade/showcase/project-edit.js b/components/arcade/showcase/project-edit.js index d72b126d..de16a8d6 100644 --- a/components/arcade/showcase/project-edit.js +++ b/components/arcade/showcase/project-edit.js @@ -209,6 +209,7 @@ const ProjectEditForm = ({ project }) => {