hicommonwealth · mzparacha · Sep 10, 2024 · Sep 9, 2024 · Sep 9, 2024 · Sep 10, 2024
diff --git a/libs/model/src/community/GetCommunities.query.ts b/libs/model/src/community/GetCommunities.query.ts
@@ -86,6 +86,17 @@ export function GetCommunities(): Query<typeof schemas.GetCommunities> {
                   }
           FROM    "Communities" AS "Community"
           WHERE  "Community"."active" = true
+                      ${
+                        relevance_by === 'membership'
+                          ? `
+                        AND name NOT LIKE '%<%'
+                        AND name NOT LIKE '%>%'
+                        AND name NOT LIKE '%\`%'
+                        AND name NOT LIKE '%"%'
+                        AND name NOT LIKE '%''%'
+                        `
+                          : ''
+                      }
                         ${
                           base
                             ? `

diff --git a/libs/schemas/src/commands/community.schemas.ts b/libs/schemas/src/commands/community.schemas.ts
@@ -2,19 +2,23 @@ import {
   ALL_COMMUNITIES,
   ChainBase,
   ChainType,
+  COMMUNITY_NAME_REGEX,
   MAX_SCHEMA_INT,
   MIN_SCHEMA_INT,
 } from '@hicommonwealth/shared';
 import { z } from 'zod';
 import { Community, Group, StakeTransaction } from '../entities';
-import { PG_INT, checkIconSize } from '../utils';
+import { checkIconSize, PG_INT } from '../utils';
 
 export const CreateCommunity = {
   input: z.object({
     id: z.string(),
     name: z
       .string()
       .max(255)
+      .regex(COMMUNITY_NAME_REGEX, {
+        message: `Invalid name, only a-z, A-Z, 0-9, !, @, #, &, (, ), :, _, $, /, \\, |, . and single spaces are allowed`,
+      })
       .refine((data) => !data.includes(ALL_COMMUNITIES), {
         message: `String must not contain '${ALL_COMMUNITIES}'`,
       }),

diff --git a/libs/shared/src/index.ts b/libs/shared/src/index.ts
@@ -1,5 +1,6 @@
 export * from './canvas';
 export * as commonProtocol from './commonProtocol';
 export * from './constants';
+export * from './regex';
 export * from './types';
 export * from './utils';
diff --git a/libs/shared/src/regex.ts b/libs/shared/src/regex.ts
@@ -0,0 +1,3 @@
+export const COMMUNITY_NAME_REGEX =
+  // eslint-disable-next-line no-useless-escape
+  /^(?!.* {2})[a-zA-Z0-9!@#&():_$\/\\|\.]+(?: [a-zA-Z0-9!@#&():_$\/\\|\.]+)*$/;
diff --git a/...ripts/views/pages/CommunityManagement/CommunityProfile/CommunityProfileForm/validation.ts b/...ripts/views/pages/CommunityManagement/CommunityProfile/CommunityProfileForm/validation.ts
@@ -1,11 +1,15 @@
+import { COMMUNITY_NAME_REGEX } from '@hicommonwealth/shared';
 import { VALIDATION_MESSAGES } from 'helpers/formValidations/messages';
 import z from 'zod';
 
 export const communityProfileValidationSchema = z.object({
   communityName: z
     .string({ invalid_type_error: VALIDATION_MESSAGES.NO_INPUT })
     .nonempty({ message: VALIDATION_MESSAGES.NO_INPUT })
-    .max(255, { message: VALIDATION_MESSAGES.MAX_CHAR_LIMIT_REACHED }),
+    .max(255, { message: VALIDATION_MESSAGES.MAX_CHAR_LIMIT_REACHED })
+    .regex(COMMUNITY_NAME_REGEX, {
+      message: `Invalid name, only a-z, A-Z, 0-9, !, @, #, &, (, ), :, _, $, /, \\, |, . and single spaces are allowed`,
+    }),
   communityDescription: z
     .string({ invalid_type_error: VALIDATION_MESSAGES.NO_INPUT })
     .nonempty({ message: VALIDATION_MESSAGES.NO_INPUT }),

diff --git a/...views/pages/CreateCommunity/steps/BasicInformationStep/BasicInformationForm/validation.ts b/...views/pages/CreateCommunity/steps/BasicInformationStep/BasicInformationForm/validation.ts
@@ -1,11 +1,15 @@
+import { COMMUNITY_NAME_REGEX } from '@hicommonwealth/shared';
 import { VALIDATION_MESSAGES } from 'helpers/formValidations/messages';
 import z from 'zod';
 
 export const basicInformationFormValidationSchema = z.object({
   communityName: z
     .string({ invalid_type_error: VALIDATION_MESSAGES.NO_INPUT })
     .nonempty({ message: VALIDATION_MESSAGES.NO_INPUT })
-    .max(255, { message: VALIDATION_MESSAGES.MAX_CHAR_LIMIT_REACHED }),
+    .max(255, { message: VALIDATION_MESSAGES.MAX_CHAR_LIMIT_REACHED })
+    .regex(COMMUNITY_NAME_REGEX, {
+      message: `Invalid name, only a-z, A-Z, 0-9, !, @, #, &, (, ), :, _, $, /, \\, |, . and single spaces are allowed`,
+    }),
   communityDescription: z
     .string({ invalid_type_error: VALIDATION_MESSAGES.NO_INPUT })
     .nonempty({ message: VALIDATION_MESSAGES.NO_INPUT })

diff --git a/...ipts/views/pages/user_dashboard/TrendingCommunitiesPreview/TrendingCommunitiesPreview.tsx b/...ipts/views/pages/user_dashboard/TrendingCommunitiesPreview/TrendingCommunitiesPreview.tsx
@@ -27,17 +27,6 @@ export const TrendingCommunitiesPreview = () => {
   const trendingCommunities = (
     paginatedTrendingCommunities?.pages?.[0]?.results || []
   )
-    .filter((community) => {
-      // TODO: This XSS logic should be moved to API + we shouldn't allow users to choose community
-      // names with invalid chars
-      const name = community.name.toLowerCase();
-      //this filter is meant to not include any de facto communities that are actually xss attempts.
-      //It's a way of keeping the front facing parts of the app clean looking for users
-      return (
-        !['"', '>', '<', "'", '/', '`'].includes(name[0]) &&
-        !['"', '>', '<', "'", '/', '`'].includes(name[1])
-      );
-    })
     .map((community) => ({
       community,
       isMember: Permissions.isCommunityMember(community.id),

diff --git a/packages/commonwealth/server/controllers/server_communities_methods/update_community.ts b/packages/commonwealth/server/controllers/server_communities_methods/update_community.ts
@@ -6,14 +6,16 @@ import {
   CommunityAttributes,
   UserInstance,
 } from '@hicommonwealth/model';
-import { ChainBase } from '@hicommonwealth/shared';
+import { ChainBase, COMMUNITY_NAME_REGEX } from '@hicommonwealth/shared';
 import { MixpanelCommunityInteractionEvent } from '../../../shared/analytics/types';
 import { urlHasValidHTTPPrefix } from '../../../shared/utils';
 import { ALL_COMMUNITIES } from '../../middleware/databaseValidationService';
 import { TrackOptions } from '../server_analytics_controller';
 import { ServerCommunitiesController } from '../server_communities_controller';
 
 export const Errors = {
+  InvalidCommunityName:
+    'Invalid name, only a-z, A-Z, 0-9, !, @, #, &, (, ), :, _, $, /, \\, |, . and single spaces are allowed',
   NotLoggedIn: 'Not signed in',
   NoCommunityId: 'Must provide community ID',
   ReservedId: 'The id is reserved and cannot be used',
@@ -111,6 +113,10 @@ export async function __updateCommunity(
     transactionHash,
   } = rest;
 
+  if (name !== undefined && !COMMUNITY_NAME_REGEX.test(name)) {
+    throw new AppError(Errors.InvalidCommunityName);
+  }
+
   // Handle single string case and undefined case
   let { snapshot } = rest;
   if (snapshot !== undefined && typeof snapshot === 'string') {