fixes potential XSS in usercard

9 years ago · 294171b072
parent cccc64ef90
commit 294171b072
1 changed files with 3 additions and 0 deletions
--- a/src/posts/user.js
+++ b/src/posts/user.js
@ -1,6 +1,7 @@
 'use strict';

 var async = require('async'),
+	validator = require('validator'),

 	db = require('../database'),
 	user = require('../user'),
@ -69,6 +70,8 @@ module.exports = function(Posts) {
 				userData.picture = userData.picture || '';
 				userData.status = user.getStatus(userData);
 				userData.groupTitle = results.groupTitles[i].groupTitle;
+				userData.signature = validator.escape(userData.signature || '');
+				userData.fullname = validator.escape(userData.fullname || '');
 			});

 			async.map(userData, function(userData, next) {