hyperzlib
/
nodebb
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

closes #4141, closes #4149

Browse Source
v1.18.x
barisusakli 9 years ago
parent 759b183967
commit 2fc385f723
7 changed files with 63 additions and 54 deletions
Show Stats Download Patch File Download Diff File

5
public/src/client/topic.js
Unescape Escape View File

@ -215,10 +215,11 @@ define('forum/topic', [
} }
function updateTopicTitle() { function updateTopicTitle() {
var span = components.get('navbar/title').find('span');
if ($(window).scrollTop() > 50) { if ($(window).scrollTop() > 50) {
components.get('navbar/title').find('span').text(ajaxify.data.title).show(); span.html(ajaxify.data.titleEscaped).show();
} else { } else {
components.get('navbar/title').find('span').text('').hide(); span.html('').hide();
} }
app.removeAlert('bookmark'); app.removeAlert('bookmark');
} }

25
public/src/client/topic/postTools.js
Unescape Escape View File

@ -4,17 +4,14 @@
define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator'], function(share, navigator, components, translator) { define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator'], function(share, navigator, components, translator) {
var PostTools = {}, var PostTools = {};
topicName;
PostTools.init = function(tid) { PostTools.init = function(tid) {
topicName = ajaxify.data.title;
renderMenu(); renderMenu();
addPostHandlers(tid); addPostHandlers(tid);
share.addShareHandlers(topicName); share.addShareHandlers(ajaxify.data.title);
addVoteHandler(); addVoteHandler();
@ -106,15 +103,15 @@ define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator
var postContainer = components.get('topic'); var postContainer = components.get('topic');
postContainer.on('click', '[component="post/quote"]', function() { postContainer.on('click', '[component="post/quote"]', function() {
onQuoteClicked($(this), tid, topicName); onQuoteClicked($(this), tid);
}); });
postContainer.on('click', '[component="post/reply"]', function() { postContainer.on('click', '[component="post/reply"]', function() {
onReplyClicked($(this), tid, topicName); onReplyClicked($(this), tid);
}); });
$('.topic').on('click', '[component="topic/reply"]', function() { $('.topic').on('click', '[component="topic/reply"]', function() {
onReplyClicked($(this), tid, topicName); onReplyClicked($(this), tid);
}); });
$('.topic').on('click', '[component="topic/reply-as-topic"]', function() { $('.topic').on('click', '[component="topic/reply-as-topic"]', function() {
@ -174,7 +171,7 @@ define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator
}); });
} }
function onReplyClicked(button, tid, topicName) { function onReplyClicked(button, tid) {
showStaleWarning(function(proceed) { showStaleWarning(function(proceed) {
if (!proceed) { if (!proceed) {
var selectionText = '', var selectionText = '',
@ -197,7 +194,7 @@ define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator
slug: ajaxify.data.slug, slug: ajaxify.data.slug,
index: getData(button, 'data-index'), index: getData(button, 'data-index'),
pid: toPid, pid: toPid,
topicName: topicName, topicName: ajaxify.data.title,
username: username, username: username,
text: selectionText text: selectionText
}); });
@ -205,7 +202,7 @@ define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator
$(window).trigger('action:composer.post.new', { $(window).trigger('action:composer.post.new', {
tid: tid, tid: tid,
pid: toPid, pid: toPid,
topicName: topicName, topicName: ajaxify.data.title,
text: username ? username + ' ' : '' text: username ? username + ' ' : ''
}); });
} }
@ -213,7 +210,7 @@ define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator
}); });
} }
function onQuoteClicked(button, tid, topicName) { function onQuoteClicked(button, tid) {
showStaleWarning(function(proceed) { showStaleWarning(function(proceed) {
if (!proceed) { if (!proceed) {
var username = getUserName(button), var username = getUserName(button),
@ -230,7 +227,7 @@ define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator
index: getData(button, 'data-index'), index: getData(button, 'data-index'),
pid: pid, pid: pid,
username: username, username: username,
topicName: topicName, topicName: ajaxify.data.title,
text: post text: post
}); });
}); });
@ -368,7 +365,7 @@ define('forum/topic/postTools', ['share', 'navigator', 'components', 'translator
}); });
topicId.on('keyup change', function() { topicId.on('keyup change', function() {
moveBtn.attr('disabled', !topicId.val()) moveBtn.attr('disabled', !topicId.val());
}); });
moveBtn.on('click', function() { moveBtn.on('click', function() {

6
public/src/client/topic/posts.js
Unescape Escape View File

@ -138,12 +138,6 @@ define('forum/topic/posts', [
before = repliesSelector.first(); before = repliesSelector.first();
} }
data.title = $('<div></div>').text(ajaxify.data.title).html();
data.slug = ajaxify.data.slug;
data.tags = ajaxify.data.tags;
data.viewcount = ajaxify.data.viewcount;
data.isFollowing = ajaxify.data.isFollowing;
$(window).trigger('action:posts.loading', {posts: data.posts, after: after, before: before}); $(window).trigger('action:posts.loading', {posts: data.posts, after: after, before: before});
app.parseAndTranslate('topic', 'posts', data, function(html) { app.parseAndTranslate('topic', 'posts', data, function(html) {

45
src/controllers/topics.js
Unescape Escape View File

@ -1,26 +1,29 @@
"use strict"; "use strict";
var topicsController = {},
async = require('async'), var async = require('async');
S = require('string'), var S = require('string');
nconf = require('nconf'), var nconf = require('nconf');
var validator = require('validator');
user = require('../user'),
meta = require('../meta'), var user = require('../user');
topics = require('../topics'), var meta = require('../meta');
posts = require('../posts'), var topics = require('../topics');
privileges = require('../privileges'), var posts = require('../posts');
plugins = require('../plugins'), var privileges = require('../privileges');
helpers = require('./helpers'), var plugins = require('../plugins');
pagination = require('../pagination'), var helpers = require('./helpers');
utils = require('../../public/src/utils'); var pagination = require('../pagination');
var utils = require('../../public/src/utils');
var topicsController = {};
topicsController.get = function(req, res, callback) { topicsController.get = function(req, res, callback) {
var tid = req.params.topic_id, var tid = req.params.topic_id;
sort = req.query.sort, var sort = req.query.sort;
currentPage = parseInt(req.query.page, 10) || 1, var currentPage = parseInt(req.query.page, 10) || 1;
pageCount = 1, var pageCount = 1;
userPrivileges; var userPrivileges;
if ((req.params.post_index && !utils.isNumber(req.params.post_index)) || !utils.isNumber(tid)) { if ((req.params.post_index && !utils.isNumber(req.params.post_index)) || !utils.isNumber(tid)) {
return callback(); return callback();
@ -128,7 +131,7 @@ topicsController.get = function(req, res, callback) {
url: nconf.get('relative_path') + '/category/' + data.topicData.category.slug url: nconf.get('relative_path') + '/category/' + data.topicData.category.slug
}, },
{ {
text: data.topicData.title text: validator.escape(data.topicData.title)
} }
]; ];
@ -187,7 +190,7 @@ topicsController.get = function(req, res, callback) {
}, },
{ {
property: 'og:title', property: 'og:title',
content: topicData.title.replace(/&amp;/g, '&') content: topicData.title
}, },
{ {
property: 'og:description', property: 'og:description',

7
src/notifications.js
Unescape Escape View File

@ -44,9 +44,6 @@ var async = require('async'),
return next(null, null); return next(null, null);
} }
if (notification.bodyShort) {
notification.bodyShort = S(notification.bodyShort).escapeHTML().s;
}
if (notification.bodyLong) { if (notification.bodyLong) {
notification.bodyLong = S(notification.bodyLong).escapeHTML().s; notification.bodyLong = S(notification.bodyLong).escapeHTML().s;
} }
@ -388,9 +385,9 @@ var async = require('async'),
var numUsers = usernames.length; var numUsers = usernames.length;
if (numUsers === 2) { if (numUsers === 2) {
notifications[modifyIndex].bodyShort = '[[' + mergeId + '_dual, ' + usernames.join(', ') + ', ' + notifications[modifyIndex].topicTitle + ']]' notifications[modifyIndex].bodyShort = '[[' + mergeId + '_dual, ' + usernames.join(', ') + ', ' + notifications[modifyIndex].topicTitle + ']]';
} else if (numUsers > 2) { } else if (numUsers > 2) {
notifications[modifyIndex].bodyShort = '[[' + mergeId + '_multiple, ' + usernames[0] + ', ' + (numUsers-1) + ', ' + notifications[modifyIndex].topicTitle + ']]' notifications[modifyIndex].bodyShort = '[[' + mergeId + '_multiple, ' + usernames[0] + ', ' + (numUsers-1) + ', ' + notifications[modifyIndex].topicTitle + ']]';
} }
break; break;
} }

2
src/topics/data.js
Unescape Escape View File

@ -58,7 +58,7 @@ module.exports = function(Topics) {
if (!topic) { if (!topic) {
return; return;
} }
topic.title = validator.escape(topic.title); topic.titleEscaped = validator.escape(topic.title);
topic.relativeTime = utils.toISOString(topic.timestamp); topic.relativeTime = utils.toISOString(topic.timestamp);
topic.lastposttimeISO = utils.toISOString(topic.lastposttime); topic.lastposttimeISO = utils.toISOString(topic.lastposttime);
} }

27
tests/topics.js
Unescape Escape View File

@ -1,11 +1,12 @@
'use strict'; 'use strict';
/*global require, before, beforeEach, after*/ /*global require, before, beforeEach, after*/
var assert = require('assert'), var assert = require('assert');
db = require('./mocks/databasemock'), var validator = require('validator');
topics = require('../src/topics'), var db = require('./mocks/databasemock');
categories = require('../src/categories'), var topics = require('../src/topics');
User = require('../src/user'); var categories = require('../src/categories');
var User = require('../src/user');
describe('Topic\'s', function() { describe('Topic\'s', function() {
var topic, var topic,
@ -144,6 +145,22 @@ describe('Topic\'s', function() {
}); });
}); });
describe('Title escaping', function() {
it('should properly escape topic title', function(done) {
var title = '"<script>alert(\'ok1\');</script> new topic test';
var titleEscaped = validator.escape(title);
topics.post({uid: topic.userId, title: title, content: topic.content, cid: topic.categoryId}, function(err, result) {
assert.ifError(err);
topics.getTopicData(result.topicData.tid, function(err, topicData) {
assert.ifError(err);
assert.strictEqual(topicData.titleEscaped, titleEscaped);
assert.strictEqual(topicData.title, title);
});
});
});
});
after(function() { after(function() {
db.flushdb(); db.flushdb();
}); });

Write Preview
Loading…
Cancel
Save