From f319a7eaaef3922520fb4742cf22cc7d69e26c1c Mon Sep 17 00:00:00 2001
From: Azri Kahar <42867097+azrikahar@users.noreply.github.com>
Date: Fri, 22 Apr 2022 20:04:52 +0800
Subject: [PATCH] Prevent pasting non slug or db safe characters (#12951)

---
 app/src/components/v-input/v-input.vue | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/app/src/components/v-input/v-input.vue b/app/src/components/v-input/v-input.vue
index aae14aa564..33e8dee840 100644
--- a/app/src/components/v-input/v-input.vue
+++ b/app/src/components/v-input/v-input.vue
@@ -156,7 +156,7 @@ function processValue(event: KeyboardEvent) {
 	const value = (event.target as HTMLInputElement).value;
 
 	if (props.slug === true) {
-		const slugSafeCharacters = 'abcdefghijklmnopqrstuvwxyz01234567890-_~ '.split('');
+		const slugSafeCharacters = 'abcdefghijklmnopqrstuvwxyz0123456789-_~ '.split('');
 
 		const isAllowed = slugSafeCharacters.includes(key) || systemKeys.includes(key) || key.startsWith('arrow');
 
@@ -170,7 +170,7 @@ function processValue(event: KeyboardEvent) {
 	}
 
 	if (props.dbSafe === true) {
-		const dbSafeCharacters = 'abcdefghijklmnopqrstuvwxyz01234567890_ '.split('');
+		const dbSafeCharacters = 'abcdefghijklmnopqrstuvwxyz0123456789_ '.split('');
 
 		const isAllowed = dbSafeCharacters.includes(key) || systemKeys.includes(key) || key.startsWith('arrow');
 
@@ -210,6 +210,9 @@ function emitValue(event: InputEvent) {
 		}
 	} else {
 		if (props.slug === true) {
+			// prevent pasting of non slugSafeCharacters from bypassing the keydown checks
+			value = value.replace(/[^a-zA-Z0-9-_~]/g, '');
+
 			const endsWithSpace = value.endsWith(' ');
 			value = slugify(value, { separator: props.slugSeparator, preserveTrailingDash: true });
 			if (endsWithSpace) value += props.slugSeparator;
@@ -217,6 +220,8 @@ function emitValue(event: InputEvent) {
 
 		if (props.dbSafe === true) {
 			value = value.replace(/\s/g, '_');
+			// prevent pasting of non dbSafeCharacters from bypassing the keydown checks
+			value = value.replace(/[^a-zA-Z0-9_]/g, '');
 			// Replace é -> e etc
 			value = value.normalize('NFD').replace(/[\u0300-\u036f]/g, '');
 		}