fix: #8539, enforce content checks for post queue

src/posts/queue.js

@@ -94,6 +94,12 @@ module.exports = function (Posts) {
 			reply: 'topics:reply',
 		};
 
+		topics.checkContent(data.content);
+		if (type === 'topic') {
+			topics.checkTitle(data.title);
+			await topics.validateTags(data.tags);
+		}
+
 		const [canPost] = await Promise.all([
 			privileges.categories.can(typeToPrivilege[type], cid, data.uid),
 			user.isReadyToQueue(data.uid, cid),

src/topics/create.js

@@ -1,24 +1,24 @@
 
 'use strict';
 
-var _ = require('lodash');
+const _ = require('lodash');
-var validator = require('validator');
+const validator = require('validator');
-
+
-var db = require('../database');
+const db = require('../database');
-var utils = require('../utils');
+const utils = require('../utils');
-var plugins = require('../plugins');
+const plugins = require('../plugins');
-var analytics = require('../analytics');
+const analytics = require('../analytics');
-var user = require('../user');
+const user = require('../user');
-var meta = require('../meta');
+const meta = require('../meta');
-var posts = require('../posts');
+const posts = require('../posts');
-var privileges = require('../privileges');
+const privileges = require('../privileges');
-var categories = require('../categories');
+const categories = require('../categories');
 const translator = require('../translator');
 
 module.exports = function (Topics) {
 	Topics.create = async function (data) {
 		// This is an internal method, consider using Topics.post instead
-		var timestamp = data.timestamp || Date.now();
+		const timestamp = data.timestamp || Date.now();
 		await Topics.resizeAndUploadThumb(data);
 
 		const tid = await db.incrObjectField('global', 'nextTid');
@@ -71,9 +71,9 @@ module.exports = function (Topics) {
 		if (data.content) {
 			data.content = utils.rtrim(data.content);
 		}
-		check(data.title, meta.config.minimumTitleLength, meta.config.maximumTitleLength, 'title-too-short', 'title-too-long');
+		Topics.checkTitle(data.title);
 		await Topics.validateTags(data.tags, data.cid);
-		check(data.content, meta.config.minimumPostLength, meta.config.maximumPostLength, 'content-too-short', 'content-too-long');
+		Topics.checkContent(data.content);
 
 		const [categoryExists, canCreate, canTag] = await Promise.all([
 			categories.exists(data.cid),
@@ -135,8 +135,8 @@ module.exports = function (Topics) {
 	};
 
 	Topics.reply = async function (data) {
-		var tid = data.tid;
+		const tid = data.tid;
-		var uid = data.uid;
+		const uid = data.uid;
 
 		const topicData = await Topics.getTopicData(tid);
 		if (!topicData) {
@@ -170,7 +170,7 @@ module.exports = function (Topics) {
 		if (data.content) {
 			data.content = utils.rtrim(data.content);
 		}
-		check(data.content, meta.config.minimumPostLength, meta.config.maximumPostLength, 'content-too-short', 'content-too-long');
+		Topics.checkContent(data.content);
 
 		data.ip = data.req ? data.req.ip : null;
 		let postData = await posts.create(data);
@@ -235,6 +235,14 @@ module.exports = function (Topics) {
 		return postData;
 	}
 
+	Topics.checkTitle = function (title) {
+		check(title, meta.config.minimumTitleLength, meta.config.maximumTitleLength, 'title-too-short', 'title-too-long');
+	};
+
+	Topics.checkContent = function (content) {
+		check(content, meta.config.minimumPostLength, meta.config.maximumPostLength, 'content-too-short', 'content-too-long');
+	};
+
 	function check(item, min, max, minError, maxError) {
 		// Trim and remove HTML (latter for composers that send in HTML, like redactor)
 		if (typeof item === 'string') {