X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=routes%2Fall.js;h=b9665327dab08dd76a24bfbcb5d0e38cfa586484;hb=b5fb8e693dc82037eec2617a7dc49d838a9a8441;hp=f3e184e608133d267c374f6b4c0360c1c8531690;hpb=da06a6eb0237123ce43fdb01cb06246b8b57f5e5;p=vchess.git

diff --git a/routes/all.js b/routes/all.js
index f3e184e6..b9665327 100644
--- a/routes/all.js
+++ b/routes/all.js
@@ -28,6 +28,7 @@ router.get("/:vname([a-zA-Z0-9]+)", (req,res,next) => {
 				return next(err);
 			if (!variant || variant.length==0)
 				return next(createError(404));
+			// TODO (later...) get only n=100(?) most recent problems
 			db.all("SELECT * FROM Problems WHERE variant='" + vname + "'",
 				(err2,problems) => {
 					if (!!err2)
@@ -55,6 +56,9 @@ router.get("/problems/:variant([a-zA-Z0-9]+)", (req,res) => {
 	if (!req.xhr)
 		return res.json({errmsg: "Unauthorized access"});
 	// TODO: next or previous: in params + timedate (of current oldest or newest)
+	db.serialize(function() {
+		//TODO
+	});
 });
 
 // Upload a problem (AJAX)
@@ -62,10 +66,13 @@ router.post("/problems/:variant([a-zA-Z0-9]+)", (req,res) => {
 	if (!req.xhr)
 		return res.json({errmsg: "Unauthorized access"});
 	const vname = req.params["variant"];
-	
-	// TODO: get parameters and sanitize them
-	sanitizeHtml(req.body["fen"]); // [/a-z0-9 ]*
-	sanitizeHtml(req.body["instructions"]);
+	const timestamp = Date.now();
+	// Sanitize them
+	const fen = req.body["fen"];
+	if (!fen.match(/^[a-zA-Z0-9, /-]*$/))
+		return res.json({errmsg: "Bad characters in FEN string"});
+	const instructions = sanitizeHtml(req.body["instructions"]);
+	const solution = sanitizeHtml(req.body["solution"]);
 	db.serialize(function() {
 		let stmt = db.prepare("INSERT INTO Problems VALUES (?,?,?,?,?)");
 		stmt.run(timestamp, vname, fen, instructions, solution);
@@ -74,5 +81,4 @@ router.post("/problems/:variant([a-zA-Z0-9]+)", (req,res) => {
   res.json({});
 });
 
-
 module.exports = router;