closes #3297

10 years ago · da1c347fc2
parent ffd22f50ff
commit da1c347fc2
2 changed files with 4 additions and 1 deletions
--- a/src/middleware/middleware.js
+++ b/src/middleware/middleware.js
@ -274,7 +274,7 @@ middleware.renderHeader = function(req, res, callback) {
 		templateValues.linkTags = results.tags.link;
 		templateValues.isAdmin = results.user.isAdmin;
 		templateValues.user = results.user;
-		templateValues.userJSON = JSON.stringify(results.user).replace(/'/g, "\\'");
+		templateValues.userJSON = JSON.stringify(results.user);
 		templateValues.customCSS = results.customCSS;
 		templateValues.customJS = results.customJS;
 		templateValues.maintenanceHeader = parseInt(meta.config.maintenanceMode, 10) === 1 && !results.isAdmin;
--- a/src/user.js
+++ b/src/user.js
@ -3,6 +3,7 @@
 var	async = require('async'),
 	nconf = require('nconf'),
 	gravatar = require('gravatar'),
+	validator = require('validator'),

 	plugins = require('./plugins'),
 	db = require('./database'),
@ -111,6 +112,8 @@ var	async = require('async'),
 				return;
 			}

+			user.username = validator.escape(user.username);
+
 			if (user.password) {
 				user.password = undefined;
 			}