chore: make sure pagename and path are always sanitized

redimp · Sep 4, 2024 · 8794654 · 8794654
1 parent 05bf74a
commit 8794654
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 11 deletions.
diff --git a/otterwiki/util.py b/otterwiki/util.py
@@ -67,17 +67,13 @@ def sanitize_pagename(value, allow_unicode=True):
         )
     # remove slashes, question marks ...
     value = re.sub(r"[?|$|.|!|#|\\]", r"", value)
-    #old version below
-    #value = re.sub(r"[?|$|.|!|#|/|\\]", r"", value)
 
-    # remove leading -
-    value = value.lstrip("-")
+    # remove leading -/
+    value = value.lstrip("-/")
     # remove leading and trailing whitespaces
     value = value.strip()
 
-    #remove trailing slash. even if creating a folder, we will default
-    # to making it new_folder/Home
-    # This is a while loop because the regex no longer take this char off outright, only when it ends in  "/"
+    # remove trailing slash and double slashes
     value = clean_slashes(value)
 
     return value

diff --git a/otterwiki/wiki.py b/otterwiki/wiki.py
@@ -425,12 +425,12 @@ class Page:
     def __init__(self, pagepath=None, pagename=None, revision=None):
 
         if pagepath is not None:
-            self.pagepath = pagepath
+            self.pagepath = sanitize_pagename(pagepath)
             self.pagename = get_pagename(
                 pagepath
             )
         elif pagename is not None:
-            self.pagename = pagename
+            self.pagename = sanitize_pagename(pagename)
             self.pagepath = get_pagepath(pagename)
 
         self.pagename_full = get_pagename(self.pagepath, full=True)
@@ -484,7 +484,7 @@ def exists_or_404(self):
             response404 = make_response(
                 render_template(
                     "page404.html",
-                    pagename=self.pagename,
+                    pagename=self.pagename_full,
                     pagepath=self.pagepath,
                 ),
                 404,
@@ -682,6 +682,7 @@ def editor(self, author, handle_draft=None):
     def save(self, content, commit, author):
         if not has_permission("WRITE"):
             abort(403)
+
         # store page
         changed = storage.store(
             filename=self.filename,
@@ -692,7 +693,7 @@ def save(self, content, commit, author):
         if not changed:
             toast("Nothing changed.", "warning")
         else:
-            toast("{} saved.".format(self.pagename))
+            toast("{} saved.".format(self.pagename_full))
         # take care of drafts
         self.discard_draft(author)
         # redirect to view