From 4ff3d06f9049469911383a12f61bac833d649318 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Sat, 17 Dec 2016 16:00:39 +0300
Subject: [PATCH] escape labelColor, icon, cover:position, validate toPid

---
 public/src/modules/iconSelect.js    | 10 +++++++---
 src/controllers/accounts/helpers.js |  2 +-
 src/groups.js                       |  9 ++++++---
 src/posts/create.js                 |  6 +++++-
 test/topics.js                      |  7 +++++++
 5 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/public/src/modules/iconSelect.js b/public/src/modules/iconSelect.js
index 34a7d595ce..5f04baf59f 100644
--- a/public/src/modules/iconSelect.js
+++ b/public/src/modules/iconSelect.js
@@ -7,13 +7,17 @@ define('iconSelect', function () {
 
 	iconSelect.init = function (el, onModified) {
 		onModified = onModified || function () {};
-		var doubleSize = el.hasClass('fa-2x'),
-			selected = el.attr('class').replace('fa-2x', '').replace('fa', '').replace(/\s+/g, '');
+		var doubleSize = el.hasClass('fa-2x');
+		var selected = el.attr('class').replace('fa-2x', '').replace('fa', '').replace(/\s+/g, '');
 
 		$('#icons .selected').removeClass('selected');
 
 		if (selected) {
-			$('#icons .fa-icons .fa.' + selected).addClass('selected');
+			try {
+				$('#icons .fa-icons .fa.' + selected).addClass('selected');
+			} catch (err) {
+				selected = '';
+			}			
 		}
 
 		templates.parse('partials/fontawesome', {}, function (html) {
diff --git a/src/controllers/accounts/helpers.js b/src/controllers/accounts/helpers.js
index f3efd67285..2ef476a4ef 100644
--- a/src/controllers/accounts/helpers.js
+++ b/src/controllers/accounts/helpers.js
@@ -139,7 +139,7 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
 			userData.moderationNote = validator.escape(String(userData.moderationNote || ''));
 
 			userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid);
-			userData['cover:position'] = userData['cover:position'] || '50% 50%';
+			userData['cover:position'] = validator.escape(String(userData['cover:position'] || '50% 50%'));
 			userData['username:disableEdit'] = !userData.isAdmin && parseInt(meta.config['username:disableEdit'], 10) === 1;
 			userData['email:disableEdit'] = !userData.isAdmin && parseInt(meta.config['email:disableEdit'], 10) === 1;
 
diff --git a/src/groups.js b/src/groups.js
index 7498ea4a2c..51c1d97dc8 100644
--- a/src/groups.js
+++ b/src/groups.js
@@ -157,7 +157,9 @@ var utils = require('../public/src/utils');
 			}
 
 			results.base['cover:url'] = results.base['cover:url'] || require('./coverPhoto').getDefaultGroupCover(groupName);
-			results.base['cover:position'] = results.base['cover:position'] || '50% 50%';
+			results.base['cover:position'] = validator.escape(String(results.base['cover:position'] || '50% 50%'));
+			results.base.labelColor = validator.escape(String(results.base.labelColor || '#000000'));
+			results.base.icon = validator.escape(String(results.base.icon || ''));
 
 			plugins.fireHook('filter:parse.raw', results.base.description, function (err, descriptionParsed) {
 				if (err) {
@@ -400,7 +402,8 @@ var utils = require('../public/src/utils');
 				if (group) {
 					Groups.escapeGroupData(group);
 					group.userTitleEnabled = group.userTitleEnabled ? parseInt(group.userTitleEnabled, 10) === 1 : true;
-					group.labelColor = group.labelColor || '#000000';
+					group.labelColor = validator.escape(String(group.labelColor || '#000000'));
+					group.icon = validator.escape(String(group.icon || ''));
 					group.createtimeISO = utils.toISOString(group.createtime);
 					group.hidden = parseInt(group.hidden, 10) === 1;
 					group.system = parseInt(group.system, 10) === 1;
@@ -409,7 +412,7 @@ var utils = require('../public/src/utils');
 
 					group['cover:url'] = group['cover:url'] || require('./coverPhoto').getDefaultGroupCover(group.name);
 					group['cover:thumb:url'] = group['cover:thumb:url'] || group['cover:url'];
-					group['cover:position'] = group['cover:position'] || '50% 50%';
+					group['cover:position'] = validator.escape(String(group['cover:position'] || '50% 50%'));
 				}
 			});
 
diff --git a/src/posts/create.js b/src/posts/create.js
index 20df3768e4..2b626bd52b 100644
--- a/src/posts/create.js
+++ b/src/posts/create.js
@@ -9,7 +9,7 @@ var plugins = require('../plugins');
 var user = require('../user');
 var topics = require('../topics');
 var categories = require('../categories');
-
+var utils = require('../../public/src/utils');
 
 module.exports = function (Posts) {
 
@@ -24,6 +24,10 @@ module.exports = function (Posts) {
 			return callback(new Error('[[error:invalid-uid]]'));
 		}
 
+		if (data.toPid && !utils.isNumber(data.toPid)) {
+			return callback(new Error('[[error:invalid-pid]]'));
+		}
+
 		var postData;
 
 		async.waterfall([
diff --git a/test/topics.js b/test/topics.js
index 27c30599cd..9577f89a1e 100644
--- a/test/topics.js
+++ b/test/topics.js
@@ -152,6 +152,13 @@ describe('Topic\'s', function () {
 				done();
 			});
 		});
+
+		it('should fail to create new reply with invalid toPid', function (done) {
+			topics.reply({uid: topic.userId, content: 'test post', tid: newTopic.tid, toPid: '"onmouseover=alert(1);//'}, function (err) {
+				assert.equal(err.message, '[[error:invalid-pid]]');
+				done();
+			});
+		});
 	});
 
 	describe('Get methods', function () {