From 2f3b7279be1553c01743747040a40c7d03b925ef Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Wed, 10 Jan 2018 16:14:42 -0500 Subject: [PATCH] closes #6212 --- install/package.json | 4 ++-- public/language/en-GB/pages.json | 2 +- public/src/modules/translator.js | 6 ++---- src/topics/tags.js | 2 ++ test/translator.js | 9 +++++++++ 5 files changed, 16 insertions(+), 7 deletions(-) diff --git a/install/package.json b/install/package.json index 63cc989386..f3538ddbcf 100644 --- a/install/package.json +++ b/install/package.json @@ -69,9 +69,9 @@ "nodebb-plugin-spam-be-gone": "0.5.1", "nodebb-rewards-essentials": "0.0.9", "nodebb-theme-lavender": "5.0.0", - "nodebb-theme-persona": "7.2.10", + "nodebb-theme-persona": "7.2.11", "nodebb-theme-slick": "1.1.2", - "nodebb-theme-vanilla": "8.1.4", + "nodebb-theme-vanilla": "8.1.5", "nodebb-widget-essentials": "4.0.1", "nodemailer": "4.4.1", "passport": "^0.4.0", diff --git a/public/language/en-GB/pages.json b/public/language/en-GB/pages.json index 201d10ef0a..70f6cc24a3 100644 --- a/public/language/en-GB/pages.json +++ b/public/language/en-GB/pages.json @@ -22,7 +22,7 @@ "notifications": "Notifications", "tags": "Tags", - "tag": "Topics tagged under \"%1\"", + "tag": "Topics tagged under "%1"", "register": "Register an account", "registration-complete": "Registration complete", "login": "Login to your account", diff --git a/public/src/modules/translator.js b/public/src/modules/translator.js index 6376d9e4d0..9171d65ada 100644 --- a/public/src/modules/translator.js +++ b/public/src/modules/translator.js @@ -41,13 +41,11 @@ var assign = Object.assign || jQuery.extend; function escapeHTML(str) { - return utils.decodeHTMLEntities( + return utils.escapeHTML(utils.decodeHTMLEntities( String(str) .replace(/[\s\xa0]+/g, ' ') .replace(/^\s+|\s+$/g, '') - ).replace(/[<>]/g, function (c) { - return c === '<' ? '<' : '>'; - }); + )); } var Translator = (function () { diff --git a/src/topics/tags.js b/src/topics/tags.js index 4561c950fa..48cf353005 100644 --- a/src/topics/tags.js +++ b/src/topics/tags.js @@ -2,6 +2,7 @@ 'use strict'; var async = require('async'); +var validator = require('validator'); var db = require('../database'); var meta = require('../meta'); @@ -191,6 +192,7 @@ module.exports = function (Topics) { }, function (tagData, next) { tags.forEach(function (tag, index) { + tag.valueEscaped = validator.escape(String(tag.value)); tag.color = tagData[index] ? tagData[index].color : ''; tag.bgColor = tagData[index] ? tagData[index].bgColor : ''; }); diff --git a/test/translator.js b/test/translator.js index 62aa2dcea1..413002b2aa 100644 --- a/test/translator.js +++ b/test/translator.js @@ -114,6 +114,15 @@ describe('new Translator(language)', function () { }); }); + it('should not unescape html in parameters', function () { + var translator = Translator.create('en-GB'); + + var key = '[[pages:tag, some&tag]]'; + return translator.translate(key).then(function (translated) { + assert.strictEqual(translated, 'Topics tagged under "some&tag"'); + }); + }); + it('should properly escape and ignore % and \\, in arguments', function () { var translator = Translator.create('en-GB');