feat(security): sanitize the participants' names

The `name` property of a participant should probably be changed to `identifier`. We might then add a (non necessarily unique) name for diplay only. This is bad, since the regex will obliterate any non-latin character. Need to check if `\P{Letter}` is supported in Godot.
2 years ago · 2cc30b1afb
1 changed files with 7 additions and 1 deletions
--- a/addons/majority_judgment/MajorityJudgmentParticipant.gd
+++ b/addons/majority_judgment/MajorityJudgmentParticipant.gd
@ -17,7 +17,12 @@ static func make(__name):


 func set_name(__name:String) -> void:
-	# FIXME: sanitize
+	var invalid = RegEx.new()
+	invalid.compile("[^a-zA-Z0-9+._-]+")
+	__name = invalid.sub(__name, '', true)
+	__name = __name.substr(0, min(__name.length(), 20))
+	if "" == __name:
+		printerr("Participant name is empty!")
 	name = __name


@ -25,3 +30,4 @@ func get_name() -> String:
 	if null == name:
 		return 'Anonymous'
 	return name
+