resolve XSS vulnerability in flags pages

v1.18.x
Julian Lam 7 years ago
parent 9101400264
commit b44cfacda1

@ -4,6 +4,7 @@ var async = require('async');
var _ = require('lodash'); var _ = require('lodash');
var S = require('string'); var S = require('string');
var winston = require('winston'); var winston = require('winston');
var validator = require('validator');
var db = require('./database'); var db = require('./database');
var user = require('./user'); var user = require('./user');
@ -92,6 +93,7 @@ Flags.get = function (flagId, callback) {
}, function (err, payload) { }, function (err, payload) {
// Final object return construction // Final object return construction
next(err, Object.assign(data.base, { next(err, Object.assign(data.base, {
description: validator.escape(data.base.description),
datetimeISO: new Date(parseInt(data.base.datetime, 10)).toISOString(), datetimeISO: new Date(parseInt(data.base.datetime, 10)).toISOString(),
target_readable: data.base.type.charAt(0).toUpperCase() + data.base.type.slice(1) + ' ' + data.base.targetId, target_readable: data.base.type.charAt(0).toUpperCase() + data.base.type.slice(1) + ' ' + data.base.targetId,
target: payload.targetObj, target: payload.targetObj,
@ -200,6 +202,7 @@ Flags.list = function (filters, uid, callback) {
} }
next(null, Object.assign(flagObj, { next(null, Object.assign(flagObj, {
description: validator.escape(flagObj.description),
target_readable: flagObj.type.charAt(0).toUpperCase() + flagObj.type.slice(1) + ' ' + flagObj.targetId, target_readable: flagObj.type.charAt(0).toUpperCase() + flagObj.type.slice(1) + ' ' + flagObj.targetId,
datetimeISO: new Date(parseInt(flagObj.datetime, 10)).toISOString(), datetimeISO: new Date(parseInt(flagObj.datetime, 10)).toISOString(),
})); }));

Loading…
Cancel
Save