fix: empty event rendering due to bad end_datetime, fix #426

- enforce end_datetime input validation - this is not enough as an event could be manually added by a plugin and also for bad old events we enforce numeric end_datetime. the point is that in sqlite you can put a string into an INTEGER column!
2025-01-31 16:42:22 +01:00 · 2024-07-26 14:44:18 +02:00 · 2024-07-26 14:44:18 +02:00 · 9b7b1f289f
commit 9b7b1f289f
parent ba9ed8af34
2 changed files with 22 additions and 3 deletions
--- a/server/api/controller/event.js
+++ b/server/api/controller/event.js
@ -200,6 +200,7 @@ const eventController = {
      event.next = next && (next.slug || next.id)
      event.prev = prev && (prev.slug || prev.id)
      event.tags = event.tags.map(t => t.tag)
+      event.end_datetime = Number(event.end_datetime) || null
      event.plain_description = htmlToText(event.description, event.description.replace('\n', '').slice(0, 1000) )

      if (format === 'json') {
@ -484,6 +485,10 @@ const eventController = {
        return res.status(400).send(`Wrong format for start datetime`)
      }

+      if (body.end_datetime && !Number(body.end_datetime)) {
+        return res.status(400).send(`Wrong format for end datetime`)
+      }
+
      if (Number(body.start_datetime) > 1000*24*60*60*365) {
        return res.status(400).send('are you sure?')
      }
@ -506,8 +511,8 @@ const eventController = {
        // sanitize and linkify html
        description: helpers.sanitizeHTML(linkifyHtml(body.description || '', { target: '_blank', render: { email: ctx => ctx.content }})),
        multidate: body.multidate,
-        start_datetime: body.start_datetime,
-        end_datetime: body.end_datetime,
+        start_datetime: Number(body.start_datetime),
+        end_datetime: Number(body.end_datetime) || null,
        online_locations: body.online_locations,
        recurrent,
        // publish this event only if authenticated
@ -831,7 +836,6 @@ const eventController = {
    }

    if (query) {
-      replacements.push(query)
      replacements.push(query)
      where[Op.or] =
        [
@ -879,6 +883,7 @@ const eventController = {
    return events.map(e => {
      e = e.get()
      e.tags = e.tags ? e.tags.map(t => t && t.tag) : []
+      e.end_datetime = Number(e.end_datetime) || null
      if (!e.multidate) {
        delete e.multidate
      }
--- a/tests/app.test.js
+++ b/tests/app.test.js
@ -290,6 +290,20 @@ describe('Events', () => {
      .expect(400)
  })

+
+  test('should validate end_datime', async () => {
+    const event = {
+      title: ' test title 5',
+      start_datetime: dayjs().unix() + 1000,
+      end_datetime: "Antani",
+      place_id: places[0],
+    }
+
+    const response = await request(app).post('/api/event')
+      .send(event)
+      .expect(400)
+  })
+
  test('should trim tags and title', async () => {
    const event = {
      title: ' test title 4 ',