pad.libre-service.eu-etherpad/src/node/hooks/express/padurlsanitize.js

var padManager = require('../../db/PadManager');
var url = require('url');

exports.expressCreateServer = function (hook_name, args, cb) {
  //redirects browser to the pad's sanitized url if needed. otherwise, renders the html
  args.app.param('pad', function (req, res, next, padId) {
    //ensure the padname is valid and the url doesn't end with a /
    if(!padManager.isValidPadId(padId) || /\/$/.test(req.url))
    {
      res.send(404, 'Such a padname is forbidden');
    }
    else
    {
      padManager.sanitizePadId(padId, function(sanitizedPadId) {
	//the pad id was sanitized, so we redirect to the sanitized version
	if(sanitizedPadId != padId)
	{
          var real_url = sanitizedPadId;
          var query = url.parse(req.url).query;
          if ( query ) real_url += '?' + query;
	  res.header('Location', real_url);
	  res.send(302, 'You should be redirected to <a href="' + real_url + '">' + real_url + '</a>');
	}
	//the pad id was fine, so just render it
	else
	{
	  next();
	}
      });
    }
  });
}
Moved all the hooks into a hooks directory 2012-02-25 17:23:44 +01:00			`var padManager = require('../../db/PadManager');`
The pad name sanitizer shouldn't drop query params. issue #779 2012-06-13 21:20:29 +02:00			`var url = require('url');`
Bugfix for not loading plugins until after db, plus moved padursanitize into own module 2012-02-24 23:38:37 +01:00
Renamed functions to match hook names 2012-02-25 16:53:15 +01:00			`exports.expressCreateServer = function (hook_name, args, cb) {`
Bugfix for not loading plugins until after db, plus moved padursanitize into own module 2012-02-24 23:38:37 +01:00			`//redirects browser to the pad's sanitized url if needed. otherwise, renders the html`
			`args.app.param('pad', function (req, res, next, padId) {`
			`//ensure the padname is valid and the url doesn't end with a /`
			`if(!padManager.isValidPadId(padId) \|\| /\/$/.test(req.url))`
			`{`
Fix res.send (migrate to express v3) 2012-09-22 13:51:39 +02:00			`res.send(404, 'Such a padname is forbidden');`
Bugfix for not loading plugins until after db, plus moved padursanitize into own module 2012-02-24 23:38:37 +01:00			`}`
			`else`
			`{`
			`padManager.sanitizePadId(padId, function(sanitizedPadId) {`
			`//the pad id was sanitized, so we redirect to the sanitized version`
			`if(sanitizedPadId != padId)`
			`{`
Don't rewrite in a stupid way Since we're already in the proper path for the pad, why worry about it? Replacing the entire path of the URL with /p/padname may have seemed like a good idea at the time, but really, for a 302 we only need a relative pathname. This patch provides the proper way. 2012-07-03 01:46:31 +02:00			`var real_url = sanitizedPadId;`
The pad name sanitizer shouldn't drop query params. issue #779 2012-06-13 21:20:29 +02:00			`var query = url.parse(req.url).query;`
			`if ( query ) real_url += '?' + query;`
			`res.header('Location', real_url);`
Fix res.send (migrate to express v3) 2012-09-22 13:51:39 +02:00			`res.send(302, 'You should be redirected to <a href="' + real_url + '">' + real_url + '</a>');`
Bugfix for not loading plugins until after db, plus moved padursanitize into own module 2012-02-24 23:38:37 +01:00			`}`
			`//the pad id was fine, so just render it`
			`else`
			`{`
			`next();`
			`}`
			`});`
			`}`
			`});`
			`}`