escape moderation notes

8 years ago · dc9b21021a
parent db13aac106
commit dc9b21021a
3 changed files with 19 additions and 20 deletions
--- a/src/controllers/accounts/info.js
+++ b/src/controllers/accounts/info.js
@ -47,24 +47,21 @@ infoController.get = function (req, res, callback) {
 				},
 			}, next);
 		},
-	], function (err, data) {
-		if (err) {
-			return callback(err);
-		}
+		function (data) {
+			userData.history = data.history;
+			userData.sessions = data.sessions;
+			userData.usernames = data.usernames;
+			userData.emails = data.emails;

-		userData.history = data.history;
-		userData.sessions = data.sessions;
-		userData.usernames = data.usernames;
-		userData.emails = data.emails;
-
-		if (userData.isAdminOrGlobalModeratorOrModerator) {
-			userData.moderationNotes = data.notes.notes;
-			var pageCount = Math.ceil(data.notes.count / itemsPerPage);
-			userData.pagination = pagination.create(page, pageCount, req.query);
-		}
-		userData.title = '[[pages:account/info]]';
-		userData.breadcrumbs = helpers.buildBreadcrumbs([{ text: userData.username, url: '/user/' + userData.userslug }, { text: '[[user:account_info]]' }]);
+			if (userData.isAdminOrGlobalModeratorOrModerator) {
+				userData.moderationNotes = data.notes.notes;
+				var pageCount = Math.ceil(data.notes.count / itemsPerPage);
+				userData.pagination = pagination.create(page, pageCount, req.query);
+			}
+			userData.title = '[[pages:account/info]]';
+			userData.breadcrumbs = helpers.buildBreadcrumbs([{ text: userData.username, url: '/user/' + userData.userslug }, { text: '[[user:account_info]]' }]);

-		res.render('account/info', userData);
-	});
+			res.render('account/info', userData);
+		},
+	], callback);
 };
--- a/src/user/info.js
+++ b/src/user/info.js
@ -166,6 +166,7 @@ module.exports = function (User) {
 						var data = JSON.parse(note);
 						uids.push(data.uid);
 						data.timestampISO = utils.toISOString(data.timestamp);
+						data.note = validator.escape(String(data.note));
 						return data;
 					} catch (err) {
 						return next(err);
--- a/test/user.js
+++ b/test/user.js
@ -1236,15 +1236,16 @@ describe('User', function () {
 					setTimeout(next, 50);
 				},
 				function (next) {
-					socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: 'second moderation note' }, next);
+					socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: '<svg/onload=alert(document.location);//' }, next);
 				},
 				function (next) {
 					User.getModerationNotes(testUid, 0, -1, next);
 				},
 			], function (err, notes) {
 				assert.ifError(err);
-				assert.equal(notes[0].note, 'second moderation note');
+				assert.equal(notes[0].note, '&lt;svg&#x2F;onload=alert(document.location);&#x2F;&#x2F;');
 				assert.equal(notes[0].uid, adminUid);
+				assert.equal(notes[1].note, 'this is a test user');
 				assert(notes[0].timestamp);
 				done();
 			});