hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

make sure validator.escape() receives strings only

Browse Source
v1.18.x
barisusakli 9 years ago
parent 431e7dd987
commit 07fe5057e1
20 changed files with 34 additions and 34 deletions
Show Stats Download Patch File Download Diff File

4
src/categories/data.js
Unescape Escape View File

@ -42,7 +42,7 @@ module.exports = function(Categories) {
return; return;
} }
category.name = validator.escape(category.name || ''); category.name = validator.escape(String(category.name || ''));
category.disabled = category.hasOwnProperty('disabled') ? parseInt(category.disabled, 10) === 1 : undefined; category.disabled = category.hasOwnProperty('disabled') ? parseInt(category.disabled, 10) === 1 : undefined;
category.icon = category.icon || 'hidden'; category.icon = category.icon || 'hidden';
if (category.hasOwnProperty('post_count')) { if (category.hasOwnProperty('post_count')) {
@ -58,7 +58,7 @@ module.exports = function(Categories) {
} }
if (category.description) { if (category.description) {
category.description = validator.escape(category.description); category.description = validator.escape(String(category.description));
category.descriptionParsed = category.descriptionParsed || category.description; category.descriptionParsed = category.descriptionParsed || category.description;
} }
} }

2
src/categories/recentreplies.js
Unescape Escape View File

@ -137,7 +137,7 @@ module.exports = function(Categories) {
teaser.tid = teaser.uid = teaser.user.uid = undefined; teaser.tid = teaser.uid = teaser.user.uid = undefined;
teaser.topic = { teaser.topic = {
slug: topicData[index].slug, slug: topicData[index].slug,
title: validator.escape(topicData[index].title) title: validator.escape(String(topicData[index].title))
}; };
} }
}); });

12
src/controllers/accounts/helpers.js
Unescape Escape View File

@ -98,17 +98,17 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) {
userData.sso = results.sso.associations; userData.sso = results.sso.associations;
userData.status = user.getStatus(userData); userData.status = user.getStatus(userData);
userData.banned = parseInt(userData.banned, 10) === 1; userData.banned = parseInt(userData.banned, 10) === 1;
userData.website = validator.escape(userData.website || ''); userData.website = validator.escape(String(userData.website || ''));
userData.websiteLink = !userData.website.startsWith('http') ? 'http://' + userData.website : userData.website; userData.websiteLink = !userData.website.startsWith('http') ? 'http://' + userData.website : userData.website;
userData.websiteName = userData.website.replace(validator.escape('http://'), '').replace(validator.escape('https://'), ''); userData.websiteName = userData.website.replace(validator.escape('http://'), '').replace(validator.escape('https://'), '');
userData.followingCount = parseInt(userData.followingCount, 10) || 0; userData.followingCount = parseInt(userData.followingCount, 10) || 0;
userData.followerCount = parseInt(userData.followerCount, 10) || 0; userData.followerCount = parseInt(userData.followerCount, 10) || 0;
userData.email = validator.escape(userData.email || ''); userData.email = validator.escape(String(userData.email || ''));
userData.fullname = validator.escape(userData.fullname || ''); userData.fullname = validator.escape(String(userData.fullname || ''));
userData.location = validator.escape(userData.location || ''); userData.location = validator.escape(String(userData.location || ''));
userData.signature = validator.escape(userData.signature || ''); userData.signature = validator.escape(String(userData.signature || ''));
userData.aboutme = validator.escape(userData.aboutme || ''); userData.aboutme = validator.escape(String(userData.aboutme || ''));
userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid); userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid);
userData['cover:position'] = userData['cover:position'] || '50% 50%'; userData['cover:position'] = userData['cover:position'] || '50% 50%';

8
src/controllers/api.js
Unescape Escape View File

@ -22,8 +22,8 @@ apiController.getConfig = function(req, res, next) {
config.environment = process.env.NODE_ENV; config.environment = process.env.NODE_ENV;
config.relative_path = nconf.get('relative_path'); config.relative_path = nconf.get('relative_path');
config.version = nconf.get('version'); config.version = nconf.get('version');
config.siteTitle = validator.escape(meta.config.title || meta.config.browserTitle || 'NodeBB'); config.siteTitle = validator.escape(String(meta.config.title || meta.config.browserTitle || 'NodeBB'));
config.browserTitle = validator.escape(meta.config.browserTitle || meta.config.title || 'NodeBB'); config.browserTitle = validator.escape(String(meta.config.browserTitle || meta.config.title || 'NodeBB'));
config.titleLayout = (meta.config.titleLayout || '{pageTitle} | {browserTitle}').replace(/{/g, '{').replace(/}/g, '}'); config.titleLayout = (meta.config.titleLayout || '{pageTitle} | {browserTitle}').replace(/{/g, '{').replace(/}/g, '}');
config.showSiteTitle = parseInt(meta.config.showSiteTitle, 10) === 1; config.showSiteTitle = parseInt(meta.config.showSiteTitle, 10) === 1;
config.minimumTitleLength = meta.config.minimumTitleLength; config.minimumTitleLength = meta.config.minimumTitleLength;
@ -53,7 +53,7 @@ apiController.getConfig = function(req, res, next) {
config['theme:id'] = meta.config['theme:id']; config['theme:id'] = meta.config['theme:id'];
config['theme:src'] = meta.config['theme:src']; config['theme:src'] = meta.config['theme:src'];
config.defaultLang = meta.config.defaultLang || 'en_GB'; config.defaultLang = meta.config.defaultLang || 'en_GB';
config.userLang = req.query.lang ? validator.escape(req.query.lang) : config.defaultLang; config.userLang = req.query.lang ? validator.escape(String(req.query.lang)) : config.defaultLang;
config.loggedIn = !!req.user; config.loggedIn = !!req.user;
config['cache-buster'] = meta.config['cache-buster'] || ''; config['cache-buster'] = meta.config['cache-buster'] || '';
config.requireEmailConfirmation = parseInt(meta.config.requireEmailConfirmation, 10) === 1; config.requireEmailConfirmation = parseInt(meta.config.requireEmailConfirmation, 10) === 1;
@ -76,7 +76,7 @@ apiController.getConfig = function(req, res, next) {
config.topicsPerPage = settings.topicsPerPage; config.topicsPerPage = settings.topicsPerPage;
config.postsPerPage = settings.postsPerPage; config.postsPerPage = settings.postsPerPage;
config.notificationSounds = settings.notificationSounds; config.notificationSounds = settings.notificationSounds;
config.userLang = (req.query.lang ? validator.escape(req.query.lang) : null) || settings.userLang || config.defaultLang; config.userLang = (req.query.lang ? validator.escape(String(req.query.lang)) : null) || settings.userLang || config.defaultLang;
config.openOutgoingLinksInNewTab = settings.openOutgoingLinksInNewTab; config.openOutgoingLinksInNewTab = settings.openOutgoingLinksInNewTab;
config.topicPostSort = settings.topicPostSort || config.topicPostSort; config.topicPostSort = settings.topicPostSort || config.topicPostSort;
config.categoryTopicSort = settings.categoryTopicSort || config.categoryTopicSort; config.categoryTopicSort = settings.categoryTopicSort || config.categoryTopicSort;

4
src/controllers/categories.js
Unescape Escape View File

@ -13,10 +13,10 @@ var categoriesController = {};
categoriesController.list = function(req, res, next) { categoriesController.list = function(req, res, next) {
res.locals.metaTags = [{ res.locals.metaTags = [{
name: "title", name: "title",
content: validator.escape(meta.config.title || 'NodeBB') content: validator.escape(String(meta.config.title || 'NodeBB'))
}, { }, {
name: "description", name: "description",
content: validator.escape(meta.config.description || '') content: validator.escape(String(meta.config.description || ''))
}, { }, {
property: 'og:title', property: 'og:title',
content: '[[pages:categories]]' content: '[[pages:categories]]'

2
src/controllers/groups.js
Unescape Escape View File

@ -119,7 +119,7 @@ groupsController.members = function(req, res, next) {
var breadcrumbs = helpers.buildBreadcrumbs([ var breadcrumbs = helpers.buildBreadcrumbs([
{text: '[[pages:groups]]', url: '/groups' }, {text: '[[pages:groups]]', url: '/groups' },
{text: validator.escape(groupName), url: '/groups/' + req.params.slug}, {text: validator.escape(String(groupName)), url: '/groups/' + req.params.slug},
{text: '[[groups:details.members]]'} {text: '[[groups:details.members]]'}
]); ]);

4
src/controllers/helpers.js
Unescape Escape View File

@ -67,7 +67,7 @@ helpers.buildCategoryBreadcrumbs = function(cid, callback) {
if (!parseInt(data.disabled, 10)) { if (!parseInt(data.disabled, 10)) {
breadcrumbs.unshift({ breadcrumbs.unshift({
text: validator.escape(data.name), text: validator.escape(String(data.name)),
url: nconf.get('relative_path') + '/category/' + data.slug url: nconf.get('relative_path') + '/category/' + data.slug
}); });
} }
@ -119,7 +119,7 @@ helpers.buildBreadcrumbs = function(crumbs) {
helpers.buildTitle = function(pageTitle) { helpers.buildTitle = function(pageTitle) {
var titleLayout = meta.config.titleLayout || '{pageTitle} | {browserTitle}'; var titleLayout = meta.config.titleLayout || '{pageTitle} | {browserTitle}';
var browserTitle = validator.escape(meta.config.browserTitle || meta.config.title || 'NodeBB'); var browserTitle = validator.escape(String(meta.config.browserTitle || meta.config.title || 'NodeBB'));
pageTitle = pageTitle || ''; pageTitle = pageTitle || '';
var title = titleLayout.replace('{pageTitle}', function() { var title = titleLayout.replace('{pageTitle}', function() {
return pageTitle; return pageTitle;

2
src/controllers/tags.js
Unescape Escape View File

@ -13,7 +13,7 @@ var helpers = require('./helpers');
var tagsController = {}; var tagsController = {};
tagsController.getTag = function(req, res, next) { tagsController.getTag = function(req, res, next) {
var tag = validator.escape(req.params.tag); var tag = validator.escape(String(req.params.tag));
var page = parseInt(req.query.page, 10) || 1; var page = parseInt(req.query.page, 10) || 1;
var templateData = { var templateData = {

2
src/messaging/rooms.js
Unescape Escape View File

@ -15,7 +15,7 @@ module.exports = function(Messaging) {
} }
data.roomName = data.roomName || '[[modules:chat.roomname, ' + roomId + ']]'; data.roomName = data.roomName || '[[modules:chat.roomname, ' + roomId + ']]';
if (data.roomName) { if (data.roomName) {
data.roomName = validator.escape(data.roomName); data.roomName = validator.escape(String(data.roomName));
} }
callback(null, data); callback(null, data);
}); });

4
src/meta/tags.js
Unescape Escape View File

@ -97,7 +97,7 @@ module.exports = function(Meta) {
} }
if (!tag.noEscape) { if (!tag.noEscape) {
tag.content = validator.escape(tag.content); tag.content = validator.escape(String(tag.content));
} }
return tag; return tag;
@ -125,7 +125,7 @@ module.exports = function(Meta) {
if (!hasDescription) { if (!hasDescription) {
meta.push({ meta.push({
name: 'description', name: 'description',
content: validator.escape(Meta.config.description || '') content: validator.escape(String(Meta.config.description || ''))
}); });
} }
} }

2
src/middleware/header.js
Unescape Escape View File

@ -30,7 +30,7 @@ module.exports = function(middleware) {
footer: function(next) { footer: function(next) {
req.app.render('footer', { req.app.render('footer', {
loggedIn: !!req.uid, loggedIn: !!req.uid,
title: validator.escape(meta.config.title || meta.config.browserTitle || 'NodeBB') title: validator.escape(String(meta.config.title || meta.config.browserTitle || 'NodeBB'))
}, next); }, next);
}, },
plugins: function(next) { plugins: function(next) {

2
src/middleware/render.js
Unescape Escape View File

@ -81,7 +81,7 @@ module.exports = function(middleware) {
} }
str = template + str; str = template + str;
var language = res.locals.config ? res.locals.config.userLang || 'en_GB' : 'en_GB'; var language = res.locals.config ? res.locals.config.userLang || 'en_GB' : 'en_GB';
language = req.query.lang ? validator.escape(req.query.lang) : language; language = req.query.lang ? validator.escape(String(req.query.lang)) : language;
translator.translate(str, language, function(translated) { translator.translate(str, language, function(translated) {
translated = translator.unescape(translated); translated = translator.unescape(translated);
translated = translated + '<script id="ajaxify-data" type="application/json">' + ajaxifyData + '</script>'; translated = translated + '<script id="ajaxify-data" type="application/json">' + ajaxifyData + '</script>';

2
src/posts/edit.js
Unescape Escape View File

@ -141,7 +141,7 @@ module.exports = function(Posts) {
tid: tid, tid: tid,
cid: results.topic.cid, cid: results.topic.cid,
uid: postData.uid, uid: postData.uid,
title: validator.escape(title), title: validator.escape(String(title)),
oldTitle: results.topic.title, oldTitle: results.topic.title,
slug: topicData.slug, slug: topicData.slug,
isMainPost: true, isMainPost: true,

4
src/posts/user.js
Unescape Escape View File

@ -52,8 +52,8 @@ module.exports = function(Posts) {
userData.banned = parseInt(userData.banned, 10) === 1; userData.banned = parseInt(userData.banned, 10) === 1;
userData.picture = userData.picture || ''; userData.picture = userData.picture || '';
userData.status = user.getStatus(userData); userData.status = user.getStatus(userData);
userData.signature = validator.escape(userData.signature || ''); userData.signature = validator.escape(String(userData.signature || ''));
userData.fullname = validator.escape(userData.fullname || ''); userData.fullname = validator.escape(String(userData.fullname || ''));
}); });
async.map(userData, function(userData, next) { async.map(userData, function(userData, next) {

2
src/search.js
Unescape Escape View File

@ -34,7 +34,7 @@ search.search = function(data, callback) {
} }
}, },
function (result, next) { function (result, next) {
result.search_query = validator.escape(data.query || ''); result.search_query = validator.escape(String(data.query || ''));
result.time = (process.elapsedTimeSince(start) / 1000).toFixed(2); result.time = (process.elapsedTimeSince(start) / 1000).toFixed(2);
next(null, result); next(null, result);
} }

2
src/socket.io/admin/rooms.js
Unescape Escape View File

@ -107,7 +107,7 @@ SocketRooms.getAll = function(socket, data, callback) {
topTenTopics.forEach(function(topic, index) { topTenTopics.forEach(function(topic, index) {
totals.topics[topic.tid] = { totals.topics[topic.tid] = {
value: topic.count || 0, value: topic.count || 0,
title: validator.escape(titles[index].title) title: validator.escape(String(titles[index].title))
}; };
}); });

2
src/socket.io/modules.js
Unescape Escape View File

@ -280,7 +280,7 @@ SocketModules.chats.renameRoom = function(socket, data, callback) {
Messaging.getUidsInRoom(data.roomId, 0, -1, next); Messaging.getUidsInRoom(data.roomId, 0, -1, next);
}, },
function (uids, next) { function (uids, next) {
var eventData = {roomId: data.roomId, newName: validator.escape(data.newName)}; var eventData = {roomId: data.roomId, newName: validator.escape(String(data.newName))};
uids.forEach(function(uid) { uids.forEach(function(uid) {
server.in('uid_' + uid).emit('event:chats.roomRename', eventData); server.in('uid_' + uid).emit('event:chats.roomRename', eventData);
}); });

4
src/topics/create.js
Unescape Escape View File

@ -301,7 +301,7 @@ module.exports = function(Topics) {
// Username override for guests, if enabled // Username override for guests, if enabled
if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postData.uid, 10) === 0 && data.handle) { if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postData.uid, 10) === 0 && data.handle) {
postData.user.username = validator.escape(data.handle); postData.user.username = validator.escape(String(data.handle));
} }
postData.favourited = false; postData.favourited = false;
@ -312,7 +312,7 @@ module.exports = function(Topics) {
postData.display_move_tools = true; postData.display_move_tools = true;
postData.selfPost = false; postData.selfPost = false;
postData.timestampISO = utils.toISOString(postData.timestamp); postData.timestampISO = utils.toISOString(postData.timestamp);
postData.topic.title = validator.escape(postData.topic.title); postData.topic.title = validator.escape(String(postData.topic.title));
next(null, postData); next(null, postData);
} }

2
src/topics/posts.js
Unescape Escape View File

@ -128,7 +128,7 @@ module.exports = function(Topics) {
// Username override for guests, if enabled // Username override for guests, if enabled
if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postObj.uid, 10) === 0 && postObj.handle) { if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postObj.uid, 10) === 0 && postObj.handle) {
postObj.user.username = validator.escape(postObj.handle); postObj.user.username = validator.escape(String(postObj.handle));
} }
} }
}); });

2
src/user/create.js
Unescape Escape View File

@ -14,7 +14,7 @@ module.exports = function(User) {
data.username = data.username.trim(); data.username = data.username.trim();
data.userslug = utils.slugify(data.username); data.userslug = utils.slugify(data.username);
if (data.email !== undefined) { if (data.email !== undefined) {
data.email = validator.escape(data.email.trim()); data.email = validator.escape(String(data.email).trim());
} }
User.isDataValid(data, function(err) { User.isDataValid(data, function(err) {

Write Preview
Loading…
Cancel
Save