From 8610c44e7805123a2abb6ddb5bfd41d8f0fce53b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Thu, 28 May 2015 15:14:40 -0400
Subject: [PATCH] escape group data

---
 src/groups.js        | 19 +++++++++++++++----
 src/groups/search.js |  4 ++++
 2 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/src/groups.js b/src/groups.js
index e8beb2f002..f876591399 100644
--- a/src/groups.js
+++ b/src/groups.js
@@ -86,6 +86,7 @@ var async = require('async'),
 					if (!group) {
 						return;
 					}
+					Groups.escapeGroupData(group);
 					group.members = data.members[index] || [];
 					group.truncated = group.memberCount > data.members.length;
 				});
@@ -171,13 +172,15 @@ var async = require('async'),
 				if (err) {
 					return callback(err);
 				}
-				results.base.name = options.escape ? validator.escape(results.base.name) : results.base.name;
-				results.base.description = options.escape ? validator.escape(results.base.description) : results.base.description;
+
+				if (options.escape) {
+					Groups.escapeGroupData(results.base);
+				}
+
 				results.base.descriptionParsed = descriptionParsed;
-				results.base.userTitle = options.escape ? validator.escape(results.base.userTitle) : results.base.userTitle;
 				results.base.userTitleEnabled = results.base.userTitleEnabled ? !!parseInt(results.base.userTitleEnabled, 10) : true;
 				results.base.createtimeISO = utils.toISOString(results.base.createtime);
-				results.base.members = results.members.filter(Boolean);
+				results.base.members = results.members;
 				results.base.pending = results.pending.filter(Boolean);
 				results.base.deleted = !!parseInt(results.base.deleted, 10);
 				results.base.hidden = !!parseInt(results.base.hidden, 10);
@@ -195,6 +198,14 @@ var async = require('async'),
 		});
 	};
 
+	Groups.escapeGroupData = function(group) {
+		if (group) {
+			group.name = validator.escape(group.name);
+			group.description = validator.escape(group.description);
+			group.userTitle = validator.escape(group.userTitle);
+		}
+	};
+
 	Groups.getByGroupslug = function(slug, options, callback) {
 		db.getObjectField('groupslug:groupname', slug, function(err, groupName) {
 			if (err) {
diff --git a/src/groups/search.js b/src/groups/search.js
index 4629d17af2..b737123b62 100644
--- a/src/groups/search.js
+++ b/src/groups/search.js
@@ -21,6 +21,10 @@ module.exports = function(Groups) {
 				groupNames = groupNames.slice(0, 100);
 				Groups.getGroupsData(groupNames, next);
 			},
+			function(groupsData, next) {
+				groupsData.forEach(Groups.escapeGroupData);
+				next(null, groupsData);
+			},
 			async.apply(Groups.sort, options.sort)
 		], callback);
 	};