Add some safety checks to award modification / creation.

2026-04-27 03:00:12 -04:00 · 2014-04-04 11:16:08 -07:00
parent bbf15c1d1d
commit 5f912258da
2 changed files with 17 additions and 0 deletions
--- a/r2/r2/controllers/api.py
+++ b/r2/r2/controllers/api.py
@@ -2964,6 +2964,22 @@ class ApiController(RedditController):
            form.set_html(".status", "some other award has that codename")
            pass

+        url_ok = True
+
+        if not imgurl.startswith("//"):
+            url_ok = False
+            form.set_html(".status", "the url must be protocol-relative")
+
+        try:
+            imgurl % 1
+        except TypeError:
+            url_ok = False
+            form.set_html(".status", "the url must have a %d for size")
+
+        if not url_ok:
+            c.errors.add(errors.BAD_URL, field="imgurl")
+            form.has_errors("imgurl", errors.BAD_URL)
+
        if form.has_error():
            return

--- a/r2/r2/templates/adminawards.html
+++ b/r2/r2/templates/adminawards.html
@@ -91,6 +91,7 @@
      <td>
        <input type="text" name="imgurl" value="${imgurl}" />
        ${error_field("NO_TEXT", "imgurl", "span")}
+        ${error_field("BAD_URL", "imgurl", "span")}
      </td>
    </tr>
  </table>