Update UserMgmtService.java

Ramos-dev · web-flow · commit bb3d1d2aee5d · 2017-08-13T20:29:29.000+08:00
valid email&amp;username to fix an XSS vulnerability
diff --git a/src/main/java/org/b3log/solo/service/UserMgmtService.java b/src/main/java/org/b3log/solo/service/UserMgmtService.java
@@ -274,6 +274,9 @@ public String addUser(final JSONObject requestJSONObject) throws ServiceExceptio
         try {
             final JSONObject user = new JSONObject();
             final String userEmail = requestJSONObject.optString(User.USER_EMAIL).trim().toLowerCase();
+            if (!Strings.isEmail(userEmail)) {
+                throw new ServiceException(langPropsService.get("mailInvalidLabel"));
+            }
             final JSONObject duplicatedUser = userRepository.getByEmail(userEmail);
 
             if (null != duplicatedUser) {
@@ -287,6 +290,9 @@ public String addUser(final JSONObject requestJSONObject) throws ServiceExceptio
             user.put(User.USER_EMAIL, userEmail);
 
             final String userName = requestJSONObject.optString(User.USER_NAME);
+            if (UserExt.invalidUserName(userName)) {
+                throw new ServiceException(langPropsService.get("userNameInvalidLabel"));
+            }
             user.put(User.USER_NAME, userName);
 
             final String userPassword = requestJSONObject.optString(User.USER_PASSWORD);
