From b0f3e48ac2ede6737e22f333ae6d7bbde126f16a Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Fri, 17 Jan 2020 11:48:00 -0500
Subject: [PATCH] fix: escape bootswatchSkin and homepageRoute

---
 src/user/settings.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/user/settings.js b/src/user/settings.js
index 82dde7d493..0a1ca94839 100644
--- a/src/user/settings.js
+++ b/src/user/settings.js
@@ -1,6 +1,8 @@
 
 'use strict';
 
+const validator = require('validator');
+
 const meta = require('../meta');
 const db = require('../database');
 const plugins = require('../plugins');
@@ -56,7 +58,8 @@ module.exports = function (User) {
 		settings.upvoteNotifFreq = getSetting(settings, 'upvoteNotifFreq', 'all');
 		settings.restrictChat = parseInt(getSetting(settings, 'restrictChat', 0), 10) === 1;
 		settings.topicSearchEnabled = parseInt(getSetting(settings, 'topicSearchEnabled', 0), 10) === 1;
-		settings.bootswatchSkin = settings.bootswatchSkin || '';
+		settings.bootswatchSkin = validator.escape(String(settings.bootswatchSkin || ''));
+		settings.homePageRoute = validator.escape(String(settings.homePageRoute || ''));
 		settings.scrollToMyPost = parseInt(getSetting(settings, 'scrollToMyPost', 1), 10) === 1;
 		settings.categoryWatchState = getSetting(settings, 'categoryWatchState', 'notwatching');