From 07fe5057e18c3830e7f8e35afdfb8a7c399f882b Mon Sep 17 00:00:00 2001 From: barisusakli Date: Sat, 27 Aug 2016 15:45:15 +0300 Subject: [PATCH] make sure validator.escape() receives strings only --- src/categories/data.js | 4 ++-- src/categories/recentreplies.js | 2 +- src/controllers/accounts/helpers.js | 12 ++++++------ src/controllers/api.js | 8 ++++---- src/controllers/categories.js | 4 ++-- src/controllers/groups.js | 2 +- src/controllers/helpers.js | 4 ++-- src/controllers/tags.js | 2 +- src/messaging/rooms.js | 2 +- src/meta/tags.js | 4 ++-- src/middleware/header.js | 2 +- src/middleware/render.js | 2 +- src/posts/edit.js | 2 +- src/posts/user.js | 4 ++-- src/search.js | 2 +- src/socket.io/admin/rooms.js | 2 +- src/socket.io/modules.js | 2 +- src/topics/create.js | 4 ++-- src/topics/posts.js | 2 +- src/user/create.js | 2 +- 20 files changed, 34 insertions(+), 34 deletions(-) diff --git a/src/categories/data.js b/src/categories/data.js index fb166a47af..a9f70ab359 100644 --- a/src/categories/data.js +++ b/src/categories/data.js @@ -42,7 +42,7 @@ module.exports = function(Categories) { return; } - category.name = validator.escape(category.name || ''); + category.name = validator.escape(String(category.name || '')); category.disabled = category.hasOwnProperty('disabled') ? parseInt(category.disabled, 10) === 1 : undefined; category.icon = category.icon || 'hidden'; if (category.hasOwnProperty('post_count')) { @@ -58,7 +58,7 @@ module.exports = function(Categories) { } if (category.description) { - category.description = validator.escape(category.description); + category.description = validator.escape(String(category.description)); category.descriptionParsed = category.descriptionParsed || category.description; } } diff --git a/src/categories/recentreplies.js b/src/categories/recentreplies.js index c7a9e9cb67..d9393c7c08 100644 --- a/src/categories/recentreplies.js +++ b/src/categories/recentreplies.js @@ -137,7 +137,7 @@ module.exports = function(Categories) { teaser.tid = teaser.uid = teaser.user.uid = undefined; teaser.topic = { slug: topicData[index].slug, - title: validator.escape(topicData[index].title) + title: validator.escape(String(topicData[index].title)) }; } }); diff --git a/src/controllers/accounts/helpers.js b/src/controllers/accounts/helpers.js index 2b1cac23c3..fc78f3af91 100644 --- a/src/controllers/accounts/helpers.js +++ b/src/controllers/accounts/helpers.js @@ -98,17 +98,17 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) { userData.sso = results.sso.associations; userData.status = user.getStatus(userData); userData.banned = parseInt(userData.banned, 10) === 1; - userData.website = validator.escape(userData.website || ''); + userData.website = validator.escape(String(userData.website || '')); userData.websiteLink = !userData.website.startsWith('http') ? 'http://' + userData.website : userData.website; userData.websiteName = userData.website.replace(validator.escape('http://'), '').replace(validator.escape('https://'), ''); userData.followingCount = parseInt(userData.followingCount, 10) || 0; userData.followerCount = parseInt(userData.followerCount, 10) || 0; - userData.email = validator.escape(userData.email || ''); - userData.fullname = validator.escape(userData.fullname || ''); - userData.location = validator.escape(userData.location || ''); - userData.signature = validator.escape(userData.signature || ''); - userData.aboutme = validator.escape(userData.aboutme || ''); + userData.email = validator.escape(String(userData.email || '')); + userData.fullname = validator.escape(String(userData.fullname || '')); + userData.location = validator.escape(String(userData.location || '')); + userData.signature = validator.escape(String(userData.signature || '')); + userData.aboutme = validator.escape(String(userData.aboutme || '')); userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid); userData['cover:position'] = userData['cover:position'] || '50% 50%'; diff --git a/src/controllers/api.js b/src/controllers/api.js index 706a36cef9..968a0d86a6 100644 --- a/src/controllers/api.js +++ b/src/controllers/api.js @@ -22,8 +22,8 @@ apiController.getConfig = function(req, res, next) { config.environment = process.env.NODE_ENV; config.relative_path = nconf.get('relative_path'); config.version = nconf.get('version'); - config.siteTitle = validator.escape(meta.config.title || meta.config.browserTitle || 'NodeBB'); - config.browserTitle = validator.escape(meta.config.browserTitle || meta.config.title || 'NodeBB'); + config.siteTitle = validator.escape(String(meta.config.title || meta.config.browserTitle || 'NodeBB')); + config.browserTitle = validator.escape(String(meta.config.browserTitle || meta.config.title || 'NodeBB')); config.titleLayout = (meta.config.titleLayout || '{pageTitle} | {browserTitle}').replace(/{/g, '{').replace(/}/g, '}'); config.showSiteTitle = parseInt(meta.config.showSiteTitle, 10) === 1; config.minimumTitleLength = meta.config.minimumTitleLength; @@ -53,7 +53,7 @@ apiController.getConfig = function(req, res, next) { config['theme:id'] = meta.config['theme:id']; config['theme:src'] = meta.config['theme:src']; config.defaultLang = meta.config.defaultLang || 'en_GB'; - config.userLang = req.query.lang ? validator.escape(req.query.lang) : config.defaultLang; + config.userLang = req.query.lang ? validator.escape(String(req.query.lang)) : config.defaultLang; config.loggedIn = !!req.user; config['cache-buster'] = meta.config['cache-buster'] || ''; config.requireEmailConfirmation = parseInt(meta.config.requireEmailConfirmation, 10) === 1; @@ -76,7 +76,7 @@ apiController.getConfig = function(req, res, next) { config.topicsPerPage = settings.topicsPerPage; config.postsPerPage = settings.postsPerPage; config.notificationSounds = settings.notificationSounds; - config.userLang = (req.query.lang ? validator.escape(req.query.lang) : null) || settings.userLang || config.defaultLang; + config.userLang = (req.query.lang ? validator.escape(String(req.query.lang)) : null) || settings.userLang || config.defaultLang; config.openOutgoingLinksInNewTab = settings.openOutgoingLinksInNewTab; config.topicPostSort = settings.topicPostSort || config.topicPostSort; config.categoryTopicSort = settings.categoryTopicSort || config.categoryTopicSort; diff --git a/src/controllers/categories.js b/src/controllers/categories.js index 642467c6b0..fa685e3705 100644 --- a/src/controllers/categories.js +++ b/src/controllers/categories.js @@ -13,10 +13,10 @@ var categoriesController = {}; categoriesController.list = function(req, res, next) { res.locals.metaTags = [{ name: "title", - content: validator.escape(meta.config.title || 'NodeBB') + content: validator.escape(String(meta.config.title || 'NodeBB')) }, { name: "description", - content: validator.escape(meta.config.description || '') + content: validator.escape(String(meta.config.description || '')) }, { property: 'og:title', content: '[[pages:categories]]' diff --git a/src/controllers/groups.js b/src/controllers/groups.js index 106df26075..bd866dedfc 100644 --- a/src/controllers/groups.js +++ b/src/controllers/groups.js @@ -119,7 +119,7 @@ groupsController.members = function(req, res, next) { var breadcrumbs = helpers.buildBreadcrumbs([ {text: '[[pages:groups]]', url: '/groups' }, - {text: validator.escape(groupName), url: '/groups/' + req.params.slug}, + {text: validator.escape(String(groupName)), url: '/groups/' + req.params.slug}, {text: '[[groups:details.members]]'} ]); diff --git a/src/controllers/helpers.js b/src/controllers/helpers.js index c91d68acc7..2010fbc922 100644 --- a/src/controllers/helpers.js +++ b/src/controllers/helpers.js @@ -67,7 +67,7 @@ helpers.buildCategoryBreadcrumbs = function(cid, callback) { if (!parseInt(data.disabled, 10)) { breadcrumbs.unshift({ - text: validator.escape(data.name), + text: validator.escape(String(data.name)), url: nconf.get('relative_path') + '/category/' + data.slug }); } @@ -119,7 +119,7 @@ helpers.buildBreadcrumbs = function(crumbs) { helpers.buildTitle = function(pageTitle) { var titleLayout = meta.config.titleLayout || '{pageTitle} | {browserTitle}'; - var browserTitle = validator.escape(meta.config.browserTitle || meta.config.title || 'NodeBB'); + var browserTitle = validator.escape(String(meta.config.browserTitle || meta.config.title || 'NodeBB')); pageTitle = pageTitle || ''; var title = titleLayout.replace('{pageTitle}', function() { return pageTitle; diff --git a/src/controllers/tags.js b/src/controllers/tags.js index 163efc2af0..b6345bc840 100644 --- a/src/controllers/tags.js +++ b/src/controllers/tags.js @@ -13,7 +13,7 @@ var helpers = require('./helpers'); var tagsController = {}; tagsController.getTag = function(req, res, next) { - var tag = validator.escape(req.params.tag); + var tag = validator.escape(String(req.params.tag)); var page = parseInt(req.query.page, 10) || 1; var templateData = { diff --git a/src/messaging/rooms.js b/src/messaging/rooms.js index 8c021d509e..54423a2673 100644 --- a/src/messaging/rooms.js +++ b/src/messaging/rooms.js @@ -15,7 +15,7 @@ module.exports = function(Messaging) { } data.roomName = data.roomName || '[[modules:chat.roomname, ' + roomId + ']]'; if (data.roomName) { - data.roomName = validator.escape(data.roomName); + data.roomName = validator.escape(String(data.roomName)); } callback(null, data); }); diff --git a/src/meta/tags.js b/src/meta/tags.js index d1ac02934c..7f00b0c012 100644 --- a/src/meta/tags.js +++ b/src/meta/tags.js @@ -97,7 +97,7 @@ module.exports = function(Meta) { } if (!tag.noEscape) { - tag.content = validator.escape(tag.content); + tag.content = validator.escape(String(tag.content)); } return tag; @@ -125,7 +125,7 @@ module.exports = function(Meta) { if (!hasDescription) { meta.push({ name: 'description', - content: validator.escape(Meta.config.description || '') + content: validator.escape(String(Meta.config.description || '')) }); } } diff --git a/src/middleware/header.js b/src/middleware/header.js index b4013d1481..67afe93ed1 100644 --- a/src/middleware/header.js +++ b/src/middleware/header.js @@ -30,7 +30,7 @@ module.exports = function(middleware) { footer: function(next) { req.app.render('footer', { loggedIn: !!req.uid, - title: validator.escape(meta.config.title || meta.config.browserTitle || 'NodeBB') + title: validator.escape(String(meta.config.title || meta.config.browserTitle || 'NodeBB')) }, next); }, plugins: function(next) { diff --git a/src/middleware/render.js b/src/middleware/render.js index 63c5662268..b25f1d63f0 100644 --- a/src/middleware/render.js +++ b/src/middleware/render.js @@ -81,7 +81,7 @@ module.exports = function(middleware) { } str = template + str; var language = res.locals.config ? res.locals.config.userLang || 'en_GB' : 'en_GB'; - language = req.query.lang ? validator.escape(req.query.lang) : language; + language = req.query.lang ? validator.escape(String(req.query.lang)) : language; translator.translate(str, language, function(translated) { translated = translator.unescape(translated); translated = translated + ''; diff --git a/src/posts/edit.js b/src/posts/edit.js index 9d78cfc140..333901c1fa 100644 --- a/src/posts/edit.js +++ b/src/posts/edit.js @@ -141,7 +141,7 @@ module.exports = function(Posts) { tid: tid, cid: results.topic.cid, uid: postData.uid, - title: validator.escape(title), + title: validator.escape(String(title)), oldTitle: results.topic.title, slug: topicData.slug, isMainPost: true, diff --git a/src/posts/user.js b/src/posts/user.js index 275264f808..db280cb187 100644 --- a/src/posts/user.js +++ b/src/posts/user.js @@ -52,8 +52,8 @@ module.exports = function(Posts) { userData.banned = parseInt(userData.banned, 10) === 1; userData.picture = userData.picture || ''; userData.status = user.getStatus(userData); - userData.signature = validator.escape(userData.signature || ''); - userData.fullname = validator.escape(userData.fullname || ''); + userData.signature = validator.escape(String(userData.signature || '')); + userData.fullname = validator.escape(String(userData.fullname || '')); }); async.map(userData, function(userData, next) { diff --git a/src/search.js b/src/search.js index b34704bf47..0d1a3b2103 100644 --- a/src/search.js +++ b/src/search.js @@ -34,7 +34,7 @@ search.search = function(data, callback) { } }, function (result, next) { - result.search_query = validator.escape(data.query || ''); + result.search_query = validator.escape(String(data.query || '')); result.time = (process.elapsedTimeSince(start) / 1000).toFixed(2); next(null, result); } diff --git a/src/socket.io/admin/rooms.js b/src/socket.io/admin/rooms.js index 50ba4661de..b5f4ffb501 100644 --- a/src/socket.io/admin/rooms.js +++ b/src/socket.io/admin/rooms.js @@ -107,7 +107,7 @@ SocketRooms.getAll = function(socket, data, callback) { topTenTopics.forEach(function(topic, index) { totals.topics[topic.tid] = { value: topic.count || 0, - title: validator.escape(titles[index].title) + title: validator.escape(String(titles[index].title)) }; }); diff --git a/src/socket.io/modules.js b/src/socket.io/modules.js index f76e8f9646..568d971b65 100644 --- a/src/socket.io/modules.js +++ b/src/socket.io/modules.js @@ -280,7 +280,7 @@ SocketModules.chats.renameRoom = function(socket, data, callback) { Messaging.getUidsInRoom(data.roomId, 0, -1, next); }, function (uids, next) { - var eventData = {roomId: data.roomId, newName: validator.escape(data.newName)}; + var eventData = {roomId: data.roomId, newName: validator.escape(String(data.newName))}; uids.forEach(function(uid) { server.in('uid_' + uid).emit('event:chats.roomRename', eventData); }); diff --git a/src/topics/create.js b/src/topics/create.js index 5de7ac9fa2..de55045ed8 100644 --- a/src/topics/create.js +++ b/src/topics/create.js @@ -301,7 +301,7 @@ module.exports = function(Topics) { // Username override for guests, if enabled if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postData.uid, 10) === 0 && data.handle) { - postData.user.username = validator.escape(data.handle); + postData.user.username = validator.escape(String(data.handle)); } postData.favourited = false; @@ -312,7 +312,7 @@ module.exports = function(Topics) { postData.display_move_tools = true; postData.selfPost = false; postData.timestampISO = utils.toISOString(postData.timestamp); - postData.topic.title = validator.escape(postData.topic.title); + postData.topic.title = validator.escape(String(postData.topic.title)); next(null, postData); } diff --git a/src/topics/posts.js b/src/topics/posts.js index 80bde62334..3c49fa29ee 100644 --- a/src/topics/posts.js +++ b/src/topics/posts.js @@ -128,7 +128,7 @@ module.exports = function(Topics) { // Username override for guests, if enabled if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postObj.uid, 10) === 0 && postObj.handle) { - postObj.user.username = validator.escape(postObj.handle); + postObj.user.username = validator.escape(String(postObj.handle)); } } }); diff --git a/src/user/create.js b/src/user/create.js index df504c3da4..160971c56a 100644 --- a/src/user/create.js +++ b/src/user/create.js @@ -14,7 +14,7 @@ module.exports = function(User) { data.username = data.username.trim(); data.userslug = utils.slugify(data.username); if (data.email !== undefined) { - data.email = validator.escape(data.email.trim()); + data.email = validator.escape(String(data.email).trim()); } User.isDataValid(data, function(err) {