some escaping and fixed uploads in progress

11 years ago · b9139ef263
parent 3198275209
commit b9139ef263
6 changed files with 18 additions and 14 deletions
--- a/public/src/forum/topic.js
+++ b/public/src/forum/topic.js
@ -341,7 +341,7 @@ define('forum/topic', ['forum/pagination', 'forum/infinitescroll', 'forum/topic/

 		findInsertionPoint();

-		data.title = ajaxify.variables.get('topic_name');
+		data.title = $('<div></div>').text(ajaxify.variables.get('topic_name')).html();
 		data.viewcount = ajaxify.variables.get('viewcount');

 		infinitescroll.parseAndTranslate('topic', 'posts', data, function(html) {
--- a/public/src/modules/composer.js
+++ b/public/src/modules/composer.js
@ -209,7 +209,7 @@ define('composer', ['taskbar', 'composer/controls', 'composer/uploads', 'compose
 					bodyEl = postContainer.find('textarea'),
 					draft = drafts.getDraft(postData.save_id);

-				postData.title = $('<div></div>').html(postData.title).text();
+				postData.title = $('<div></div>').text(postData.title).html();

 				updateTitle(postData, postContainer);

@ -408,9 +408,9 @@ define('composer', ['taskbar', 'composer/controls', 'composer/uploads', 'compose
 		$('body').css({'margin-bottom': postContainer.css('height')});

 		if (env !== 'sm' && env !== 'xs') {
-			focusElements(post_uuid);	
+			focusElements(post_uuid);
 		}
-		
+
 		resizeTabContent(postContainer);
 	}

@ -455,7 +455,7 @@ define('composer', ['taskbar', 'composer/controls', 'composer/uploads', 'compose

 		var checkTitle = parseInt(postData.cid, 10) || parseInt(postData.pid, 10);

-		if (postData.uploadsInProgress && postData.uploadsInProgress.length) {
+		if (uploads.inProgress[post_uuid] && uploads.inProgress[post_uuid].length) {
 			return composerAlert('[[error:still-uploading]]');
 		} else if (checkTitle && titleEl.val().length < parseInt(config.minimumTitleLength, 10)) {
 			return composerAlert('[[error:title-too-short, ' + config.minimumTitleLength + ']]');
--- a/public/src/modules/composer/uploads.js
+++ b/public/src/modules/composer/uploads.js
@ -3,7 +3,9 @@
 /* globals define, utils, config, app */

 define('composer/uploads', function() {
-	var uploads = {};
+	var uploads = {
+		inProgress: {}
+	};

 	uploads.initialize = function(post_uuid) {

@ -234,8 +236,8 @@ define('composer/uploads', function() {
 				formData.append('_csrf', $('#csrf_token').val());
 			}

-			uploads[post_uuid] = uploads[post_uuid] || [];
-			uploads[post_uuid].push(1);
+			uploads.inProgress[post_uuid] = uploads.inProgress[post_uuid] || [];
+			uploads.inProgress[post_uuid].push(1);

 			$(this).ajaxSubmit({
 				resetForm: true,
@ -264,7 +266,7 @@ define('composer/uploads', function() {

 				complete: function() {
 					uploadForm[0].reset();
-					uploads[post_uuid].pop();
+					uploads.inProgress[post_uuid].pop();
 				}
 			});

@ -293,8 +295,8 @@ define('composer/uploads', function() {

 			spinner.removeClass('hide');

-			uploads[post_uuid] = uploads[post_uuid] || [];
-			uploads[post_uuid].push(1);
+			uploads.inProgress[post_uuid] = uploads.inProgress[post_uuid] || [];
+			uploads.inProgress[post_uuid].push(1);

 			$(this).ajaxSubmit({
 				formData: formData,
@ -305,7 +307,7 @@ define('composer/uploads', function() {
 					postContainer.find('#topic-thumb-url').val((uploads[0] || {}).url || '').trigger('change');
 				},
 				complete: function() {
-					uploads[post_uuid].pop();
+					uploads.inProgress[post_uuid].pop();
 					spinner.addClass('hide');
 				}
 			});
--- a/public/src/modules/notifications.js
+++ b/public/src/modules/notifications.js
@ -24,7 +24,7 @@ define('notifications', ['sounds'], function(sound) {
 						} else {
 							image = '';
 						}
-
+						notification.text = $('<div/>').text(notification.text).html();
 						return '<li class="' + (notification.readClass || '') + '"><a href="' + (notification.path || '#') + '">' + image + '<span class="pull-right relTime">' + utils.relativeTime(notification.datetime, true) + '</span><span class="text">' + notification.text + '</span></a></li>';
 					}

--- a/public/src/modules/taskbar.js
+++ b/public/src/modules/taskbar.js
@ -60,7 +60,7 @@ define('taskbar', function() {
 			var element = taskbar.tasklist.find('li[data-uuid="'+uuid+'"]');
 			if(element.length)
 				return;
-			var title = $('<div></div>').html(options.title || 'NodeBB Task').text();
+			var title = $('<div></div>').text(options.title || 'NodeBB Task').html();

 			var	btnEl = $('<li />')
 				.html('<a href="#">' +
--- a/src/topics/create.js
+++ b/src/topics/create.js
@ -2,6 +2,7 @@
 'use strict';

 var async = require('async'),
+	validator = require('validator'),
 	db = require('../database'),
 	utils = require('../../public/src/utils'),
 	plugins = require('../plugins'),
@ -229,6 +230,7 @@ module.exports = function(Topics) {
 				Topics.getTopicFields(tid, ['tid', 'title', 'slug'], next);
 			},
 			function(topicData, next) {
+				topicData.title = validator.escape(topicData.title);
 				postData.topic = topicData;
 				next();
 			},