closes #6004

7 years ago · a11058bce2
parent a73c2628c4
commit a11058bce2
2 changed files with 32 additions and 2 deletions
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@ -5,6 +5,7 @@ var winston = require('winston');
 var user = require('../user');
 var meta = require('../meta');
 var plugins = require('../plugins');
+var jsesc = require('jsesc');

 var controllers = {
 	api: require('../controllers/api'),
@ -73,11 +74,11 @@ module.exports = function (middleware) {

 				var templateValues = {
 					config: results.config,
-					configJSON: JSON.stringify(results.config),
+					configJSON: jsesc(JSON.stringify(results.config), { isScriptContext: true }),
 					relative_path: results.config.relative_path,
 					adminConfigJSON: encodeURIComponent(JSON.stringify(results.configs)),
 					user: userData,
-					userJSON: JSON.stringify(userData).replace(/'/g, "\\'"),
+					userJSON: jsesc(JSON.stringify(userData), { isScriptContext: true }),
 					plugins: results.custom_header.plugins,
 					authentication: results.custom_header.authentication,
 					scripts: results.scripts,
--- a/test/controllers-admin.js
+++ b/test/controllers-admin.js
@ -578,4 +578,33 @@ describe('Admin Controllers', function () {
 			});
 		});
 	});
+
+	it('should escape special characters in config', function (done) {
+		var plugins = require('../src/plugins');
+		function onConfigGet(config, callback) {
+			config.someValue = '"foo"';
+			config.otherValue = "'123'";
+			config.script = '</script>';
+			callback(null, config);
+		}
+		plugins.registerHook('somePlugin', { hook: 'filter:config.get', method: onConfigGet });
+		request(nconf.get('url') + '/admin', { jar: jar }, function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 200);
+			assert(body);
+			assert(body.indexOf('"someValue":"\\\\"foo\\\\""') !== -1);
+			assert(body.indexOf('"otherValue":"\\\'123\\\'"') !== -1);
+			assert(body.indexOf('"script":"<\\/script>"') !== -1);
+			request(nconf.get('url'), { jar: jar }, function (err, res, body) {
+				assert.ifError(err);
+				assert.equal(res.statusCode, 200);
+				assert(body);
+				assert(body.indexOf('"someValue":"\\\\"foo\\\\""') !== -1);
+				assert(body.indexOf('"otherValue":"\\\'123\\\'"') !== -1);
+				assert(body.indexOf('"script":"<\\/script>"') !== -1);
+				plugins.unregisterHook('somePlugin', 'filter:config.get', onConfigGet);
+				done();
+			});
+		});
+	});
 });