Sanitize chat input

Don't let someone send a chat message with "^C" and kill the server.

chat/server.py

@@ -1,5 +1,7 @@
 import logging
+import shlex
 import subprocess
+import unicodedata
 
 from flask import Flask, request
 
@@ -12,6 +14,11 @@ def setup_logging():
     app.logger.setLevel(logging.INFO)
 
 
+def sanitize_input(input):
+    input = "".join(ch for ch in input if unicodedata.category(ch)[0] != "C")
+    return shlex.quote(input.replace('^', ''))
+
+
 @app.route('/chat/', methods=['POST'])
 def send_chat():
     if request.method == 'POST':
@@ -20,11 +27,17 @@ def send_chat():
         if not request.form.get('say-text', None):
             return 'No message to send!', 422
         if request.form.get('say-username', None):
-            subprocess.call(['/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff',
-                             '/say [{}]: {}\015'.format(request.form['say-username'], request.form['say-text'])])
+            subprocess.call([
+                '/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff',
+                '/say [{}]: {}\015'.format(
+                    sanitize_input(request.form['say-username']),
+                    sanitize_input(request.form['say-text']))
+            ])
         else:
-            subprocess.call(['/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff',
-                             '/say {}\015'.format(request.form['say-text'])])
+            subprocess.call([
+                '/usr/bin/screen', '-S', 'mc-panic-shack', '-p', '0', '-X', 'stuff',
+                '/say {}\015'.format(sanitize_input(request.form['say-text']))
+            ])
         return 'Sending chat: ' + request.form.get('say-username', '') + ': ' + request.form['say-text']
 
 if __name__ == "__main__":