secure user input

express_backend/securePostData.js

@@ -0,0 +1,13 @@
+function secure(text){
+    text = text.replace(/'/g, "\\u0027");
+    return text;
+}
+
+function decode(text){
+    text = text.replace(/\\u0027/g, "'");
+    return text;
+}
+
+module.exports = {
+    secure, decode
+}

express_backend/server.js

@@ -4,7 +4,7 @@ const app = express();
 const sqlite3 = require('sqlite3');
 const db = new sqlite3.Database("database.db")
 const port = process.env.PORT || 5000;
-
+const securePostData = require('./securePostData');
 // body parser
 const bodyParser = require('body-parser');
 app.use(bodyParser.json());
@@ -29,7 +29,11 @@ app.get('/idea/:id', (req, res) => {
             res.send({title: "Error", content: "Error fetching idea"});
         }else{
             if(rows.length > 0){
-            res.json(rows[0]);
+                // De-Formatting
+                rows[0].title = securePostData.decode(rows[0].title);
+                rows[0].content = securePostData.decode(rows[0].content);
+
+                res.json(rows[0]);
             }else{
                 res.send({title: "Error", content: "Idea not found"});
             }
@@ -42,6 +46,11 @@ app.get('/ideas', (req, res) => {
         if (err) {
             res.send({title: "Error", content: "Error fetching ideas"});
         }else{
+            for (let i = 0; i < rows.length; i++) {
+                // De-Formatting
+                rows[i].title = securePostData.decode(rows[i].title);
+                rows[i].content = securePostData.decode(rows[i].content);
+            }
             res.json(rows);
         }
     });
@@ -49,11 +58,40 @@ app.get('/ideas', (req, res) => {
 
 
 app.post('/idea/update/:id', (req, res) => {
-    db.run(`UPDATE ideas SET title = '${req.body.title}', content = '${req.body.content}' WHERE id = ${req.params.id}`, (err) => {
+
+    // Validate POST
+    if(!req.body.title || req.body.title.replace(/\s/g, '').length === 0){
+        res.send({title: "Error", type:"title", message: "Title is required"});
+        return;
+    }else if(!req.body.content || req.body.content.replace(/\s/g, '').length === 0){
+        res.send({title: "Error", type:"content", message: "Content is required"});
+        return;
+    }
+
+    let regexPattern = /^[a-zA-ZÀ-úÀ-ÿÀ-ÿÀ-ÖØ-öø-ÿ0-9ßäöüÄÖÜ!@#$%^&*()_+\-=\[\]{};':"\\|,.<>\/?`´\s]*$/;
+
+    
+    if(!regexPattern.test(req.body.title)){
+        res.send({title: "Error", type:"title", message: "Title contains invalid characters"});
+        return;
+    }else if(!regexPattern.test(req.body.content)){
+        res.send({title: "Error", type:"content", message: "Content contains invalid characters"});
+        return;
+    }
+
+    // replace ' with \u0027
+    let title = securePostData.secure(req.body.title);
+    let content = securePostData.secure(req.body.content);
+
+
+
+
+
+    db.run(`UPDATE ideas SET title = '${title}', content = '${content}' WHERE id = ${req.params.id}`, (err) => {
         if (err) {
-            res.send({title: "Error", content: "Error updating idea"});
+            res.send({title: "Error", type:"saving", message: "Error updating idea"});
         }else{
-            res.send({title: "Success", content: "Idea updated"});
+            res.send({title: "Success", type:"saving", message: "Idea updated"});
         }
     });
 });