[#6412] ticket:385 Allow only [-_a-zA-Z0-9]+ in short urls
diff --git a/ForgeShortUrl/forgeshorturl/main.py b/ForgeShortUrl/forgeshorturl/main.py
index d26c69e..3081e81 100644
--- a/ForgeShortUrl/forgeshorturl/main.py
+++ b/ForgeShortUrl/forgeshorturl/main.py
@@ -196,6 +196,16 @@
class ShortURLAdminController(DefaultAdminController):
+
+ shorturl_validators = All(
+ validators.NotEmpty(),
+ validators.Regex(
+ r'^[-_a-zA-Z0-9]+$',
+ messages={'invalid': 'must include only letters, numbers, dashes and underscores.'}
+ )
+ )
+
+
def __init__(self, app):
self.app = app
@@ -215,7 +225,7 @@
@expose('jinja:forgeshorturl:templates/form.html')
@validate(dict(full_url=All(validators.URL(add_http=True),
validators.NotEmpty()),
- short_url=validators.NotEmpty()))
+ short_url=shorturl_validators))
def add(self, short_url='', full_url='', description='', private='off',
update=False, **kw):
if update:
diff --git a/ForgeShortUrl/forgeshorturl/tests/functional/test.py b/ForgeShortUrl/forgeshorturl/tests/functional/test.py
index e162b38..8f0fc64 100644
--- a/ForgeShortUrl/forgeshorturl/tests/functional/test.py
+++ b/ForgeShortUrl/forgeshorturl/tests/functional/test.py
@@ -97,6 +97,16 @@
r = self.app.post('/admin/url/add', params=d)
assert 'exists' in self.webflash(r)
+ def test_shorturl_chars_restrictions(self):
+ d = dict(short_url='', full_url='http://sf.net/')
+ r = self.app.post('/admin/url/add', params=d)
+ assert ShortUrl.query.find(dict(app_config_id=c.app.config._id)).count() == 0
+ assert 'Please enter a value' in self.webflash(r)
+ d = dict(short_url='g*', full_url='http://sf.net/')
+ r = self.app.post('/admin/url/add', params=d)
+ assert ShortUrl.query.find(dict(app_config_id=c.app.config._id)).count() == 0
+ assert 'Short url: must include only letters, numbers, dashes and underscores.' in self.webflash(r)
+
def test_shorturl_remove(self):
self.app.post('/admin/url/add',
params=dict(short_url='g', full_url='http://google.com/'))
