api: sanitise new commenters' links

api/commenter_new.go

@@ -15,6 +15,13 @@ func commenterNew(email string, name string, link string, photo string, provider
 		return "", errorMissingField
 	}
 
+	// See utils_sanitise.go's documentation on isHttpsUrl. This is not a URL
+	// validator, just an XSS preventor.
+	// TODO: reject URLs instead of malforming them.
+	if !isHttpsUrl(link) {
+		link = "https://" + link
+	}
+
 	if _, err := commenterGetByEmail(provider, email); err == nil {
 		return "", errorEmailAlreadyExists
 	}

api/utils_sanitise.go

@@ -33,3 +33,13 @@ func stripPath(url string) string {
 
 	return strippedPath
 }
+
+var httpsUrl = regexp.MustCompile(`^https?://`)
+
+func isHttpsUrl(in string) bool {
+	// Admittedly, this isn't the greatest URL checker. But it does what we need.
+	// I don't care if the user gives an invalid URL, I just want to make sure
+	// they don't do any XSS shenanigans. Hopefully, enforcing a https?:// prefix
+	// solves this. If this function returns false, prefix with "http://"
+	return len(httpsUrl.FindAllString(in, -1)) != 0
+}