check badge names

files/helpers/regex.py

@@ -21,6 +21,8 @@ tags_regex = re.compile("[a-z0-9: ]{1,200}", flags=re.A)
 hat_regex = re.compile("[a-zA-Z0-9\-() ,_]{1,50}", flags=re.A)
 description_regex = re.compile("[^<>&\n\t]{1,300}", flags=re.A)
 
+badge_name_regex = re.compile("[A-Za-z0-9 ]+", flags=re.A)
+
 
 valid_sub_regex = re.compile("^[a-zA-Z0-9_\-]{3,25}$", flags=re.A)
 

files/routes/comments.py

@@ -177,6 +177,12 @@ def comment(v:User):
 							badge_def = loads(body)
 							name = badge_def["name"]
 
+							if len(name) > 50:
+								abort(400, "Badge name is too long!")
+
+							if not badge_name_regex.fullmatch(name):
+								abort(400, "Invalid badge name!")
+
 							existing = g.db.query(BadgeDef).filter_by(name=name).one_or_none()
 							if existing: abort(409, "A badge with this name already exists!")