From fff3d70ba494214e434083c9d0e32f3def32138f Mon Sep 17 00:00:00 2001
From: xengineering <me@xengineering.eu>
Date: Sat, 22 Apr 2023 20:38:25 +0200
Subject: Verify JSON input

Without verification the text input is simply saved to the file. This is
no problem for the recipe editing but since the json.Unmarshal functino
will also fail on the index and recipe page this recipe will simply
disappear from the web server while the file still exists on disk.
---
 handler.go | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/handler.go b/handler.go
index e2d2183..98bcc2d 100644
--- a/handler.go
+++ b/handler.go
@@ -1,6 +1,7 @@
 package main
 
 import (
+	"encoding/json"
 	"fmt"
 	"io/ioutil"
 	"net/http"
@@ -88,16 +89,21 @@ func recipeEditPost(w http.ResponseWriter, r *http.Request) {
 	}
 
 	idStr := r.Form["id"][0]
-	buffer := r.Form["text"][0]
-
 	idRegex := regexp.MustCompile(VALID_ID_REGEX)
 	if !(idRegex.MatchString(idStr)) {
 		http.Error(w, "Bad 'id' URL parameter.", 400)
 		return
 	}
 
+	buffer := []byte(r.Form["text"][0])
+	err := json.Unmarshal(buffer, &recipe{})
+	if err != nil {
+		http.Error(w, "Text input could not be parsed to recipe.", 400)
+		return
+	}
+
 	textpath := filepath.Join(config.Data, "recipes", idStr, "text")
-	err := ioutil.WriteFile(textpath, []byte(buffer), 0644)
+	err = ioutil.WriteFile(textpath, buffer, 0644)
 	if err != nil {
 		http.Error(w, "Could not save new text for recipe.", 500)
 	}
-- 
cgit v1.2.3-70-g09d2