# HG changeset patch
# User Franklin Schmidt <fschmidt@gmail.com>
# Date 1696211626 21600
# Node ID a6e72cd199f1b98b5f919d7d704b75fe8cfaf5db
# Parent  49461857ed797e117c2d30c024aa04b6068abd05
email security

diff -r 49461857ed79 -r a6e72cd199f1 src/get_password.html.luan
--- a/src/get_password.html.luan	Thu Jul 28 16:28:27 2022 +0300
+++ b/src/get_password.html.luan	Sun Oct 01 19:53:46 2023 -0600
@@ -1,5 +1,7 @@
 local Luan = require "luan:Luan.luan"
 local error = Luan.error
+local String = require "luan:String.luan"
+local matches = String.matches or error()
 local Io = require "luan:Io.luan"
 local output_of = Io.output_of or error()
 local Http = require "luan:http/Http.luan"
@@ -16,6 +18,7 @@
 local send_mail = config.mail_info and Mail.sender(config.mail_info).send
 
 local function handle(email)
+	matches( email, [[^(\w[-+~.\w]*)@[-\w]+(\\.[-\w]+)*\.[a-zA-Z]+$]] ) or error "invalid email"
 	local change = Http.request.parameters.change ~= nil
 	local password = config.users[email]
 	if password == nil or change then