From ada5ab61a6e967208b08f612e6773b8d36543f31 Mon Sep 17 00:00:00 2001
From: Aevann1 <randomname42029@gmail.com>
Date: Fri, 23 Sep 2022 00:02:15 +0200
Subject: [PATCH] validate inputted channel id

---
 files/routes/static.py    | 11 +++++++----
 files/templates/live.html | 15 ++++++++++++++-
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/files/routes/static.py b/files/routes/static.py
index 3996f165c..1b9c3656e 100644
--- a/files/routes/static.py
+++ b/files/routes/static.py
@@ -475,13 +475,16 @@ if SITE == 'pcmemes.net':
 	@app.get('/logged_out/live')
 	@auth_desired_with_logingate
 	def live(v):
-		return render_template(f'live.html', v=v, live=live_cached()[0], offline=live_cached()[1])
+		return render_template('live.html', v=v, live=live_cached()[0], offline=live_cached()[1])
 
 	@app.post('/live/add')
 	@admin_level_required(2)
 	def live_add(v):
 		id = request.values.get('id')
-		if not id: abort(400)
+
+		if not id or len(id) != 24:
+			return render_template('live.html', v=v, live=live_cached()[0], offline=live_cached()[1], error="Invalid ID")
+
 		existing = g.db.get(Streamer, id)
 		if not existing:
 			streamer = Streamer(id=id)
@@ -490,7 +493,7 @@ if SITE == 'pcmemes.net':
 			if v.id != KIPPY_ID:
 				send_repeatable_notification(KIPPY_ID, f"@{v.username} has added a [new YouTube channel](https://www.youtube.com/channel/{streamer.id})")
 			cache.delete_memoized(live_cached)
-		return redirect(f'/live')
+		return redirect('/live')
 
 	@app.post('/live/remove')
 	@admin_level_required(2)
@@ -503,4 +506,4 @@ if SITE == 'pcmemes.net':
 				send_repeatable_notification(KIPPY_ID, f"@{v.username} has removed a [YouTube channel](https://www.youtube.com/channel/{streamer.id})")
 			g.db.delete(streamer)
 			cache.delete_memoized(live_cached)
-		return redirect(f'/live')
\ No newline at end of file
+		return redirect('/live')
\ No newline at end of file
diff --git a/files/templates/live.html b/files/templates/live.html
index 4e22d7108..ec5a1831a 100644
--- a/files/templates/live.html
+++ b/files/templates/live.html
@@ -19,6 +19,19 @@
 				window.open('{{link}}', '_blank');
 		}
 	</script>
+
+	{% if error %}
+		<div class="alert alert-danger alert-dismissible fade show d-flex my-3" role="alert">
+											<i class="fas fa-exclamation-circle my-auto"></i>
+											<span>
+											{{error}}
+											</span>
+											<button class="close" data-bs-dismiss="alert" aria-label="Close">
+												<span aria-hidden="true"><i class="far fa-times"></i></span>
+										</button>
+						</div>
+	{% endif %}
+
 	<div class="px-2">
 		<h1 class="py-3"><i class="fas fa-circle mr-3" style="color:red"></i>Live</h1>
 		<div class="overflow-x-auto">
@@ -73,7 +86,7 @@
 		{% if v and v.admin_level > 1 %}
 			<form action="/live/add" method="post">
 				<input type="hidden" name="formkey" value="{{v.formkey}}">
-				<input class="form-control" style="display:inline;width:350px" autocomplete="off" type="text" name="id" class="form-control" placeholder="Enter channel id..">
+				<input class="form-control" style="display:inline;width:350px" autocomplete="off" type="text" name="id" class="form-control" placeholder="Enter channel id.." minlength="24" maxlength="24" required>
 				<input autocomplete="off" class="btn btn-primary ml-auto" type="submit" onclick="disable(this)" value="Add Youtube Channel" style="margin-top:-5px">
 			</form>
 			<p class="mt-3">you can get the channel id using this site <a href="https://streamweasels.com/tools/youtube-channel-id-and-user-id-convertor" rel="nofollow noopener noreferrer" target="_blank">https://streamweasels.com/tools/youtube-channel-id-and-user-id-convertor</a></p>