From 636434c30dd36dd5a2e770dc00a3ba1e3ccfda4c Mon Sep 17 00:00:00 2001
From: Manager Bot <manager@myjekyllblog.net>
Date: Sat, 5 Nov 2022 20:10:45 +0000
Subject: [PATCH] That's safer.

---
 Web/lib/MJB/Web/Controller/Blog.pm | 24 +++++++++++++-----------
 1 file changed, 13 insertions(+), 11 deletions(-)

diff --git a/Web/lib/MJB/Web/Controller/Blog.pm b/Web/lib/MJB/Web/Controller/Blog.pm
index b96cf2f..3daa2aa 100644
--- a/Web/lib/MJB/Web/Controller/Blog.pm
+++ b/Web/lib/MJB/Web/Controller/Blog.pm
@@ -24,11 +24,16 @@ sub do_domain_hosted ( $c ) {
     my $sub_domain = $c->param('subdomain');
     my $top_domain = $c->db->hosted_domain( $c->param('hosted_domain_id') );
 
+    $sub_domain = lc($sub_domain);
+
     push @{$c->stash->{errors}}, "Please select a domain from the drop down menu."
         unless $top_domain;
 
     push @{$c->stash->{errors}}, "Please enter a value for the subdomain."
         unless $sub_domain;
+    
+    push @{$c->stash->{errors}}, "Subdomains must start with a letter, and may use letters, numbers, dashes and hyphens."
+        unless $sub_domain =~ /^[a-z]+[a-z0-9-_]*$/;
 
     push @{$c->stash->{errors}}, "That domain name is already being used."
         unless $c->db->domains( { name => $sub_domain . '.' . $top_domain->name  } )->count == 0;
@@ -39,9 +44,7 @@ sub do_domain_hosted ( $c ) {
         return;
     }
 
-    $c->redirect_to( $c->url_for( 'do_blog_initialize' )->query( 
-        domain => $sub_domain . '.' . $top_domain->name, 
-    ));
+    return $c->_initialize_blog( $sub_domain . '.' . $top_domain->name, 'show_blog_domain_hosted' );
 }
 
 # Initial blog creation entry point when the user
@@ -54,9 +57,11 @@ sub domain_owned ( $c ) {
 sub do_domain_owned ( $c ) {
     my $domain_name = $c->param('domain_name');
     
+    $domain_name = lc($domain_name);
+    
     push @{$c->stash->{errors}}, "Please enter a value for the domain name."
         unless $domain_name;
-
+    
     push @{$c->stash->{errors}}, "That domain name is already being used."
         unless $c->db->domains( { name => $domain_name  } )->count == 0;
 
@@ -66,22 +71,19 @@ sub do_domain_owned ( $c ) {
         return;
     }
 
-    $c->redirect_to( $c->url_for( 'do_blog_initialize' )->query( 
-        domain => $domain_name 
-    ));
+    return $c->_initialize_blog( $domain_name, 'show_blog_domain_owned' );
 }
 
 # This is a special exception, it's actually a get request, because we want it
 # forwarded from the domain_hosted / domain_owned requests, and redirecting to
 # a post doesn't work.  However, since we're doing things rather than displaying
 # things, it'll be named with the do_
-sub do_initialize ( $c ) {
-    my $domain = $c->param('domain');
+sub _initialize_blog ( $c, $domain, $from ) {
 
     # Do we already have this domain name?
     if ( $c->db->domain( { name => $domain } ) ) {
         $c->flash( errors => [ 'That domain name is already being hosted.' ] );
-        $c->redirect_to( $c->url_for( 'show_blog_domain_hosted' ) );
+        $c->redirect_to( $c->url_for( $from ) );
         return;
     }
     
@@ -114,7 +116,7 @@ sub do_initialize ( $c ) {
     
     if ( $c->stash->{errors} ) {
         $c->flash( errors => $c->stash->{errors} );
-        $c->redirect_to( $c->url_for( 'show_blog_domain_hosted' ) );
+        $c->redirect_to( $c->url_for( $from ) );
         return;
     }