From 3e632dd91fe7d908624b8928d4ecdacf089e9338 Mon Sep 17 00:00:00 2001
From: Evert Prants <imsonotsleepy@gmail.com>
Date: Thu, 24 Oct 2019 11:27:02 +0300
Subject: [PATCH] Better URL validation

---
 app.js | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/app.js b/app.js
index e4ef502..a7089b5 100644
--- a/app.js
+++ b/app.js
@@ -391,14 +391,13 @@ app.post('/dashboard/link', async (req, res) => {
 
   if (name == null || url == null) return res.jsonp({ error: 'Missing parameters!' })
   if (name.length > 120) return res.jsonp({ error: 'Only 120 characters are allowed in the name.' })
-  if (name.indexOf('<') !== -1 || name.indexOf('>') !== -1) return res.jsonp({ error: 'HTML tags are forbidden!' })
+  if (name.length < 3) return res.jsonp({ error: 'Minimum name length is 3 characters.' })
+  if (name.indexOf('<') !== -1 || name.indexOf('>') !== -1 ||
+    url.indexOf('<') !== -1 || url.indexOf('>') !== -1) return res.jsonp({ error: 'HTML tags are forbidden!' })
 
   // Validate URL
-  try {
-    URL.parse(url)
-  } catch (e) {
-    return res.jsonp({ error: 'Invalid URL!' })
-  }
+  let a = URL.parse(url)
+  if (a.protocol === null || a.host === null || a.slashes !== true) return res.jsonp({ error: 'Invalid URL!' })
 
   // Checks
   let db = await dbPromise