From 617aa5f0288b3cb47beedd1da291e108622f329d Mon Sep 17 00:00:00 2001 From: Steve Dogiakos Date: Sat, 28 Mar 2026 23:18:11 -0600 Subject: [PATCH] fix: enforce max input lengths on guestbook form Adds FIELD_MAX constants and server-side length checks in the index route. Adds matching maxlength attributes on all form inputs so the browser enforces limits before submission. --- app.py | 16 ++++++++++++++++ templates/index.html.template | 10 +++++----- 2 files changed, 21 insertions(+), 5 deletions(-) diff --git a/app.py b/app.py index f141f94..e2349c0 100644 --- a/app.py +++ b/app.py @@ -123,6 +123,14 @@ def load_banned_words(): BANNED_WORDS = load_banned_words() +FIELD_MAX = { + 'first_name': 100, + 'last_name': 100, + 'email': 254, + 'location': 100, + 'comment': 2000, +} + def contains_banned_words(text): lower = text.lower() # Whole-word check (punctuation-stripped) — catches exact matches @@ -246,6 +254,14 @@ def index(): if not (first_name and last_name and location): error = "First name, last name, and location are required." logger.warning("Missing required fields.") + elif (len(first_name) > FIELD_MAX['first_name'] or + len(last_name) > FIELD_MAX['last_name'] or + len(location) > FIELD_MAX['location']): + error = "A required field exceeds the maximum allowed length." + elif email and len(email) > FIELD_MAX['email']: + error = "Email address is too long." + elif comment and len(comment) > FIELD_MAX['comment']: + error = f"Comment is too long (max {FIELD_MAX['comment']:,} characters)." elif email and not is_valid_email(email): error = "Invalid email address." logger.warning("Invalid email: %s", email) diff --git a/templates/index.html.template b/templates/index.html.template index 04c4e39..6743540 100644 --- a/templates/index.html.template +++ b/templates/index.html.template @@ -73,17 +73,17 @@
- +
- +
- +
- +