some input validation

core/views/uploads.py

@@ -71,13 +71,23 @@ def logbookedit(request, year=None):
             return render(request, "errors/generic.html", {"message": message})
         else:
             # validation all to be done yet..
-            date = request.POST["date"]   # check valid and this year
+            date = request.POST["date"].strip()   # check valid and this year
-            author = request.POST["author"]   # check against personexpedition
+            author = request.POST["author"].strip()   # check against personexpedition
-            others = request.POST["others"]    # check each against personexpedition
+            others = request.POST["others"].strip()    # check each against personexpedition
-            place = request.POST["place"]   # no hyphens !
+            place = request.POST["place"].strip().replace('-','=')  # no hyphens !
-            title = request.POST["title"]   
+            title = request.POST["title"].strip()   
-            entry = request.POST["text"] # replace 2 \n or <p> with <br><br>
+            entry = request.POST["text"].strip() # get rid of trailing spaces
-            tu = request.POST["tu"] # check numeric
+            entry = entry.replace('\r','') # remove HTML-standard CR inserted
+            entry = entry.replace('\n\n','\n<br /><br />\n') # replace 2 \n  with <br><br>
+            entry = entry.replace('<p','<br /><br') # replace <p> tag, even if it has attributes,  with <br><br>
+            entry = entry.replace('<br>','<br />') # clean up previous hack
+            tu = request.POST["tu"].strip()
+            if tu =="":
+                tu = 0
+            try:
+                tu = float(tu)/1 # check numeric
+            except:
+                tu = 0
             seq = 99 # should match the number of entries on this date +1 in the db already
             
             # OK this could be done by rendering a template, but for such a small bit of HTML, it is easier to have