From 5019ef3f4178bb6875bed53715ff3084c07b6a3a Mon Sep 17 00:00:00 2001
From: Avris <andre@avris.it>
Date: Wed, 11 Aug 2021 23:12:55 +0200
Subject: [PATCH] [sec] remove apostrophes from keys

---
 server/routes/sources.js | 4 ++--
 server/routes/terms.js   | 4 ++--
 src/helpers.js           | 5 +++++
 3 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/server/routes/sources.js b/server/routes/sources.js
index 6313ec25..780861b6 100644
--- a/server/routes/sources.js
+++ b/server/routes/sources.js
@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import SQL from "sql-template-strings";
 import {ulid} from "ulid";
-import {handleErrorAsync} from "../../src/helpers";
+import {clearKey, handleErrorAsync} from "../../src/helpers";
 
 const approve = async (db, id) => {
     const { base_id } = await db.get(SQL`SELECT base_id FROM sources WHERE id=${id}`);
@@ -84,7 +84,7 @@ router.post('/sources/submit', handleErrorAsync(async (req, res) => {
             ${id}, ${global.config.locale}, ${req.body.pronouns.join(';')},
             ${req.body.type}, ${req.body.author}, ${req.body.title}, ${req.body.extra}, ${req.body.year},
             ${req.body.fragments.join('@').replace(/\n/g, '|')}, ${req.body.comment}, ${req.body.link},
-            ${req.body.key || null}, ${req.body.images || null},
+            ${clearKey(req.body.key)}, ${req.body.images || null},
             ${req.user ? req.user.id : null}, ${req.body.base}
         )
     `);
diff --git a/server/routes/terms.js b/server/routes/terms.js
index 24f375f6..d8ae38a4 100644
--- a/server/routes/terms.js
+++ b/server/routes/terms.js
@@ -1,7 +1,7 @@
 import { Router } from 'express';
 import SQL from 'sql-template-strings';
 import {ulid} from "ulid";
-import {isTroll, handleErrorAsync, sortClearedLinkedText} from "../../src/helpers";
+import {isTroll, handleErrorAsync, sortClearedLinkedText, clearKey} from "../../src/helpers";
 import { caches } from "../../src/cache";
 
 const approve = async (db, id) => {
@@ -95,7 +95,7 @@ router.post('/terms/submit', handleErrorAsync(async (req, res) => {
         INSERT INTO terms (id, term, original, key, definition, approved, base_id, locale, author_id, category, flags, images)
         VALUES (
             ${id},
-            ${req.body.term.join('|')}, ${req.body.original.join('|')}, ${req.body.key || null}, ${req.body.definition},
+            ${req.body.term.join('|')}, ${req.body.original.join('|')}, ${clearKey(req.body.key)}, ${req.body.definition},
             0, ${req.body.base}, ${global.config.locale}, ${req.user ? req.user.id : null},
             ${req.body.categories.join(',')}, ${JSON.stringify(req.body.flags)}, ${req.body.images}
         )
diff --git a/src/helpers.js b/src/helpers.js
index c365d57c..d4a1a5a5 100644
--- a/src/helpers.js
+++ b/src/helpers.js
@@ -207,3 +207,8 @@ export const sortClearedLinkedText = (items, key) => {
     items.sort((a, b) => clearLinkedText(a[key].toLowerCase()).localeCompare(clearLinkedText(b[key].toLowerCase())))
     return items;
 }
+
+export const clearKey = (key) => {
+    if (!key) { return null; }
+    return key.replace(/'/g, '_');
+}