From 0fae66c7dd3717c22b7c7083caa89edc6cbc9de5 Mon Sep 17 00:00:00 2001
From: nyne <me@nyne.dev>
Date: Wed, 21 May 2025 12:44:29 +0800
Subject: [PATCH] Add username validation and URL decoding in comment retrieval

---
 server/api/comment.go  | 8 ++++++++
 server/api/resource.go | 4 ++++
 2 files changed, 12 insertions(+)

diff --git a/server/api/comment.go b/server/api/comment.go
index 153bdf5..754cfb3 100644
--- a/server/api/comment.go
+++ b/server/api/comment.go
@@ -1,6 +1,7 @@
 package api
 
 import (
+	"net/url"
 	"nysoure/server/model"
 	"nysoure/server/service"
 	"strconv"
@@ -65,6 +66,13 @@ func listComments(c fiber.Ctx) error {
 
 func listCommentsWithUser(c fiber.Ctx) error {
 	username := c.Params("username")
+	if username == "" {
+		return model.NewRequestError("Username is required")
+	}
+	username, err := url.PathUnescape(username)
+	if err != nil {
+		return model.NewRequestError("Invalid username")
+	}
 	pageStr := c.Query("page", "1")
 	page, err := strconv.Atoi(pageStr)
 	if err != nil {
diff --git a/server/api/resource.go b/server/api/resource.go
index 31d12b8..517a80a 100644
--- a/server/api/resource.go
+++ b/server/api/resource.go
@@ -179,6 +179,10 @@ func handleGetResourcesWithUser(c fiber.Ctx) error {
 	if username == "" {
 		return model.NewRequestError("Username is required")
 	}
+	username, err := url.PathUnescape(username)
+	if err != nil {
+		return model.NewRequestError("Invalid username")
+	}
 	pageStr := c.Query("page")
 	if pageStr == "" {
 		pageStr = "1"