From 15409f92cd13a7668eac1dc1731401b474f45158 Mon Sep 17 00:00:00 2001 From: barisusakli Date: Fri, 30 Sep 2016 18:42:19 +0300 Subject: [PATCH] escape history data, hide moderation note in api --- src/controllers/accounts/helpers.js | 5 +++++ src/controllers/accounts/info.js | 4 ++-- src/middleware/header.js | 2 +- src/user/info.js | 23 +++++++---------------- 4 files changed, 15 insertions(+), 19 deletions(-) diff --git a/src/controllers/accounts/helpers.js b/src/controllers/accounts/helpers.js index 3d9b2a9a1e..7af9cfa3e4 100644 --- a/src/controllers/accounts/helpers.js +++ b/src/controllers/accounts/helpers.js @@ -87,6 +87,10 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) { userData.ips = results.ips; } + if (!isAdmin && !isGlobalModerator) { + userData.moderationNote = undefined; + } + userData.uid = userData.uid; userData.yourid = callerUID; userData.theirid = userData.uid; @@ -120,6 +124,7 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) { userData.signature = validator.escape(String(userData.signature || '')); userData.aboutme = validator.escape(String(userData.aboutme || '')); userData.birthday = validator.escape(String(userData.birthday || '')); + userData.moderationNote = validator.escape(String(userData.moderationNote || '')); userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid); userData['cover:position'] = userData['cover:position'] || '50% 50%'; diff --git a/src/controllers/accounts/info.js b/src/controllers/accounts/info.js index fad9cd4c24..63dea030ec 100644 --- a/src/controllers/accounts/info.js +++ b/src/controllers/accounts/info.js @@ -22,8 +22,8 @@ infoController.get = function(req, res, callback) { async.parallel({ history: async.apply(user.getModerationHistory, userData.uid), sessions: async.apply(user.auth.getSessions, userData.uid, req.sessionID), - usernames: async.apply(user.getUsernameHistory, userData.uid), - emails: async.apply(user.getEmailHistory, userData.uid) + usernames: async.apply(user.getHistory, 'user:' + userData.uid + ':usernames'), + emails: async.apply(user.getHistory, 'user:' + userData.uid + ':emails') }, next); } ], function(err, data) { diff --git a/src/middleware/header.js b/src/middleware/header.js index 26e9795019..57c532f83e 100644 --- a/src/middleware/header.js +++ b/src/middleware/header.js @@ -120,7 +120,7 @@ module.exports = function(middleware) { results.user.isAdmin = results.isAdmin; results.user.isGlobalMod = results.isGlobalMod; results.user.uid = parseInt(results.user.uid, 10); - results.user.email = String(results.user.email).replace(/\\/g, '\\\\'); + results.user.email = String(results.user.email).replace(/\\/g, '\\\\').replace(/"/g, '\\"'); results.user['email:confirmed'] = parseInt(results.user['email:confirmed'], 10) === 1; results.user.isEmailConfirmSent = !!results.isEmailConfirmSent; diff --git a/src/user/info.js b/src/user/info.js index 49d03ed90c..8f2e4d3a83 100644 --- a/src/user/info.js +++ b/src/user/info.js @@ -61,24 +61,15 @@ module.exports = function(User) { }); }; - User.getEmailHistory = function(uid, callback) { - db.getSortedSetRevRangeWithScores('user:' + uid + ':emails', 0, -1, function(err, data) { - callback(err, data.map(function(set) { - set.timestamp = set.score; - set.timestampISO = new Date(set.score).toISOString(); - set.value = set.value.split(':')[0]; - delete set.score; - return set; - })); - }); - }; - - User.getUsernameHistory = function(uid, callback) { - db.getSortedSetRevRangeWithScores('user:' + uid + ':usernames', 0, -1, function(err, data) { - callback(err, data.map(function(set) { + User.getHistory = function(set, callback) { + db.getSortedSetRevRangeWithScores(set, 0, -1, function(err, data) { + if (err) { + return callback(err); + } + callback(null, data.map(function(set) { set.timestamp = set.score; set.timestampISO = new Date(set.score).toISOString(); - set.value = set.value.split(':')[0]; + set.value = validator.escape(String(set.value.split(':')[0])); delete set.score; return set; }));