From 9b35d14c2a7bee31e513bc6082080f5cb2ba3244 Mon Sep 17 00:00:00 2001
From: mickenordin <mik@elnord.in>
Date: Thu, 27 Jun 2019 14:27:09 +0200
Subject: [PATCH] Add input validation for name

---
 lib/Thruk/Controller/api_conf.pm | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/lib/Thruk/Controller/api_conf.pm b/lib/Thruk/Controller/api_conf.pm
index 18bf7d5..0bddbb8 100644
--- a/lib/Thruk/Controller/api_conf.pm
+++ b/lib/Thruk/Controller/api_conf.pm
@@ -491,6 +491,15 @@ sub display_editor {
 	     return false;
 	  }
 	}
+        function validateName () {
+          var str = document.getElementById("itemname").value;
+          if( /^[\w-.]+$/.test(str)) {
+              return true;
+          } else {
+	     popitup("Invalid name! Please use only a-Z, 0-9 and _-. in the name field.");
+	     return false;
+          }
+        }
 </script>';
     $textbox .= $q->p($head);
     unless ( $page_type eq "services" and $mode eq "create" ) {
@@ -498,12 +507,13 @@ sub display_editor {
             -method   => $METHOD,
             -action   => "api_conf.cgi",
             -id       => "JSONForm",
-            -onSubmit => "return validateJSON()"
+            -onSubmit => "return validateJSON() && validateName()"
         );
     }
     if ( $mode eq "create" ) {
         $textbox .= $q->p("Enter $name name:");
-        $textbox .= $q->textfield( $name, '', 50, 80 );
+        $textbox .= $q->textfield( -name => $name, -id => 'itemname', -size => 50, -maxlength => 80 );
+        #$textbox .= $q->textfield( $name, '', 50, 80 );
         $textbox .= $q->p("Editor:");
     }
     if ($hidden) {