diff --git a/package.json b/package.json index 26c605b..07bcbc7 100644 --- a/package.json +++ b/package.json @@ -34,6 +34,7 @@ "@testing-library/svelte": "^5.3.1", "@tiptap/core": "3.7.2", "@types/node": "^20.19.25", + "@types/sanitize-html": "^2.16.1", "drizzle-kit": "^0.31.7", "drizzle-orm": "^0.44.7", "eslint": "^9.39.1", diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index 394cdf0..a7f4ce8 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -66,6 +66,9 @@ importers: '@types/node': specifier: ^20.19.25 version: 20.19.25 + '@types/sanitize-html': + specifier: ^2.16.1 + version: 2.16.1 drizzle-kit: specifier: ^0.31.7 version: 0.31.7 @@ -1373,6 +1376,9 @@ packages: '@types/resolve@1.20.2': resolution: {integrity: sha512-60BCwRFOZCQhDncwQdxxeOEEkbc5dIMccYLwbxsS4TUNeVECQ/pBJ0j09mrHOl/JJvpRPGwO9SvE4nR2Nb/a4Q==} + '@types/sanitize-html@2.16.1': + resolution: {integrity: sha512-n9wjs8bCOTyN/ynwD8s/nTcTreIHB1vf31vhLMGqUPNHaweKC4/fAl4Dj+hUlCTKYgm4P3k83fmiFfzkZ6sgMA==} + '@types/unist@3.0.3': resolution: {integrity: sha512-ko/gIFJRv177XgZsZcBwnqJN5x/Gien8qNOn0D5bQU/zAzVf9Zt3BlcUiLqhV9y4ARk0GbT3tnUiPNgnTXzc/Q==} @@ -1770,6 +1776,10 @@ packages: resolution: {integrity: sha512-aN97NXWF6AWBTahfVOIrB/NShkzi5H7F9r1s9mD3cDj4Ko5f2qhhVoYMibXF7GlLveb/D2ioWay8lxI97Ven3g==} engines: {node: '>=0.12'} + entities@7.0.1: + resolution: {integrity: sha512-TWrgLOFUQTH994YUyl1yT4uyavY5nNB5muff+RtWaqNVCAK408b5ZnnbNAUEWLTCpum9w6arT70i1XdQ4UeOPA==} + engines: {node: '>=0.12'} + es-module-lexer@2.0.0: resolution: {integrity: sha512-5POEcUuZybH7IdmGsD8wlf0AI55wMecM9rVBTI/qEAy2c1kTOm3DjFYjrBdI2K3BaJjJYfYFeRtM0t9ssnRuxw==} @@ -1967,6 +1977,9 @@ packages: resolution: {integrity: sha512-CV9TW3Y3f8/wT0BRFc1/KAVQ3TUHiXmaAb6VW9vtiMFf7SLoMd1PdAc4W3KFOFETBJUb90KatHqlsZMWV+R9Gg==} engines: {node: ^20.19.0 || ^22.12.0 || >=24.0.0} + htmlparser2@10.1.0: + resolution: {integrity: sha512-VTZkM9GWRAtEpveh7MSF6SjjrpNVNNVJfFup7xTY3UpFtm67foy9HDVXneLtFVt4pMz5kZtgNcvCniNFb1hlEQ==} + htmlparser2@8.0.2: resolution: {integrity: sha512-GYdjWKDkbRLkZ5geuHs5NY1puJ+PXwP7+fHPRz06Eirsb9ugf6d8kkXav6ADhcODhFFPMIXyxkxSuMf3D6NCFA==} @@ -3884,6 +3897,10 @@ snapshots: '@types/resolve@1.20.2': {} + '@types/sanitize-html@2.16.1': + dependencies: + htmlparser2: 10.1.0 + '@types/unist@3.0.3': {} '@typescript-eslint/eslint-plugin@8.48.0(@typescript-eslint/parser@8.48.0(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3))(eslint@9.39.1(jiti@2.6.1))(typescript@5.9.3)': @@ -4209,6 +4226,8 @@ snapshots: entities@6.0.1: {} + entities@7.0.1: {} + es-module-lexer@2.0.0: {} esbuild-register@3.6.0(esbuild@0.25.12): @@ -4504,6 +4523,13 @@ snapshots: transitivePeerDependencies: - '@noble/hashes' + htmlparser2@10.1.0: + dependencies: + domelementtype: 2.3.0 + domhandler: 5.0.3 + domutils: 3.2.2 + entities: 7.0.1 + htmlparser2@8.0.2: dependencies: domelementtype: 2.3.0 diff --git a/src/lib/server/db/queries.ts b/src/lib/server/db/queries.ts new file mode 100644 index 0000000..448d495 --- /dev/null +++ b/src/lib/server/db/queries.ts @@ -0,0 +1,16 @@ +import { db } from '$lib/server/db'; +import { aktis, ratings } from '$lib/server/db/schema'; +import { avg, eq } from 'drizzle-orm'; + +export async function getAktisWithAvgRating() { + return await db + .select({ + id: aktis.id, + title: aktis.title, + summary: aktis.summary, + rating: avg(ratings.rating) + }) + .from(aktis) + .leftJoin(ratings, eq(aktis.id, ratings.aktiId)) + .groupBy(aktis.id, aktis.title, aktis.summary); +} diff --git a/src/lib/auth.ts b/src/lib/server/session.ts similarity index 94% rename from src/lib/auth.ts rename to src/lib/server/session.ts index ea7bbfe..101aff6 100644 --- a/src/lib/auth.ts +++ b/src/lib/server/session.ts @@ -1,7 +1,7 @@ import type { Session, User } from '@auth/sveltekit'; import { error } from '@sveltejs/kit'; -import { db } from './server/db'; -import { users } from './server/db/schema'; +import { db } from './db'; +import { users } from './db/schema'; import { eq } from 'drizzle-orm'; interface Event { locals: { diff --git a/src/routes/+layout.server.ts b/src/routes/+layout.server.ts index f7dc423..ff80a36 100644 --- a/src/routes/+layout.server.ts +++ b/src/routes/+layout.server.ts @@ -1,4 +1,4 @@ -import { getSession as getSession } from '$lib/auth'; +import { getSession as getSession } from '$lib/server/session'; import type { LayoutServerLoad } from './$types'; export const load: LayoutServerLoad = async (event) => { diff --git a/src/routes/+page.server.ts b/src/routes/+page.server.ts index 4510bd3..194192e 100644 --- a/src/routes/+page.server.ts +++ b/src/routes/+page.server.ts @@ -1,19 +1,8 @@ -import { db } from '$lib/server/db'; -import { aktis, ratings } from '$lib/server/db/schema'; -import { avg, eq } from 'drizzle-orm'; +import { getAktisWithAvgRating } from '$lib/server/db/queries'; import type { PageServerLoad } from './$types'; export const load: PageServerLoad = async () => { - const a = await db - .select({ - id: aktis.id, - title: aktis.title, - summary: aktis.summary, - rating: avg(ratings.rating) - }) - .from(aktis) - .leftJoin(ratings, eq(aktis.id, ratings.aktiId)) - .groupBy(aktis.id, aktis.title, aktis.summary); + const a = await getAktisWithAvgRating(); return { aktis: a.map((a) => ({ ...a, rating: a.rating ? parseFloat(a.rating) : undefined })) diff --git a/src/routes/akti/+page.server.ts b/src/routes/akti/+page.server.ts index 747749d..6e4f670 100644 --- a/src/routes/akti/+page.server.ts +++ b/src/routes/akti/+page.server.ts @@ -4,9 +4,10 @@ import { extractFormData } from '$lib/extractFormData'; import { resolve } from '$app/paths'; import * as v from 'valibot'; -import { ensureAuth } from '$lib/auth'; +import { ensureAuth } from '$lib/server/session'; import { db } from '$lib/server/db'; import { aktis } from '$lib/server/db/schema'; +import sanitizeHtml from 'sanitize-html'; export const load: PageServerLoad = async (event) => { await ensureAuth(event); return {}; @@ -28,6 +29,8 @@ export const actions = { if (!akti) return {}; + akti.body = sanitizeHtml(akti.body); + const res = await db .insert(aktis) .values({ ...akti, author: user.id! }) diff --git a/src/routes/akti/[aktiId]/+page.server.ts b/src/routes/akti/[aktiId]/+page.server.ts index 0dba094..0b79d46 100644 --- a/src/routes/akti/[aktiId]/+page.server.ts +++ b/src/routes/akti/[aktiId]/+page.server.ts @@ -3,21 +3,23 @@ import { aktis, ratings } from '$lib/server/db/schema'; import { error, redirect, type Actions } from '@sveltejs/kit'; import { and, eq } from 'drizzle-orm'; import type { PageServerLoad } from './$types'; -import { ensureAuth } from '$lib/auth'; +import { ensureAuth } from '$lib/server/session'; import { extractFormData } from '$lib/extractFormData'; import * as v from 'valibot'; import { resolve } from '$app/paths'; +import sanitizeHtml from 'sanitize-html'; export const load: PageServerLoad = async (event) => { - const akti = await db.query.aktis.findFirst({ - where: eq(aktis.id, event.params.aktiId), - with: { author: true } - }); - - const r = await db.query.ratings.findMany({ - with: { user: true }, - where: eq(ratings.aktiId, event.params.aktiId) - }); + const [akti, r] = await Promise.all([ + db.query.aktis.findFirst({ + where: eq(aktis.id, event.params.aktiId), + with: { author: true } + }), + db.query.ratings.findMany({ + with: { user: true }, + where: eq(ratings.aktiId, event.params.aktiId) + }) + ]); if (!akti) { error(404, { message: 'Die Akti gits garnid, sorry...' }); @@ -56,6 +58,8 @@ export const actions = { if (!changeRequest) return error(400); + changeRequest.body = sanitizeHtml(changeRequest.body); + await db .update(aktis) .set({ ...changeRequest, version: akti[0].version + 1 }) diff --git a/src/routes/akti/[aktiId]/comment/+page.server.ts b/src/routes/akti/[aktiId]/comment/+page.server.ts index ddb75d2..a1a4d8d 100644 --- a/src/routes/akti/[aktiId]/comment/+page.server.ts +++ b/src/routes/akti/[aktiId]/comment/+page.server.ts @@ -1,5 +1,5 @@ import type { PageServerLoad } from './$types'; -import { ensureAuth } from '$lib/auth'; +import { ensureAuth } from '$lib/server/session'; import { error, redirect, type Actions } from '@sveltejs/kit'; import { extractFormData } from '$lib/extractFormData'; import { aktis, ratings } from '$lib/server/db/schema';