Two defense-in-depth findings from the I-series security review (both safe today,
neither currently exploitable):
- AddBetForm.Notes was unbounded free-text into SQLite; add a 2000-char sanity cap
in IsValid (covers both the add and edit paths), alongside the existing stake/rate
caps.
- EventId only rejected empty/whitespace; now also reject path separators, '..'
traversal, control/newline chars and over-length input so no current-or-future
consumer that builds a path/filename/log line from an id can be tricked. The
charset stays open for forward-compat with non-numeric bookmaker ids.
alexei.dolgolyov
0683e348ba