escape email in registration queue and invites

src/user/approval.js

@@ -4,6 +4,7 @@
 var async = require('async');
 var request = require('request');
 var winston = require('winston');
+var validator = require('validator');
 
 var db = require('../database');
 var meta = require('../meta');
@@ -168,6 +169,7 @@ module.exports = function (User) {
 			function (users, next) {
 				users = users.filter(Boolean).map(function (user, index) {
 					user.timestampISO = utils.toISOString(data[index].score);
+					user.email = validator.escape(String(user.email));
 					delete user.hashedPassword;
 					return user;
 				});

src/user/invite.js

@@ -3,6 +3,7 @@
 
 var async = require('async');
 var nconf = require('nconf');
+var validator = require('validator');
 
 var db = require('./../database');
 var meta = require('../meta');
@@ -10,10 +11,19 @@ var emailer = require('../emailer');
 var translator = require('../translator');
 var utils = require('../utils');
 
-
 module.exports = function (User) {
 	User.getInvites = function (uid, callback) {
-		db.getSetMembers('invitation:uid:' + uid, callback);
+		async.waterfall([
+			function (next) {
+				db.getSetMembers('invitation:uid:' + uid, next);
+			},
+			function (emails, next) {
+				emails = emails.map(function (email) {
+					return validator.escape(String(email));
+				});
+				next(null, emails);
+			},
+		], callback);
 	};
 
 	User.getInvitesNumber = function (uid, callback) {

src/views/admin/manage/users.tpl

@@ -28,7 +28,7 @@
 					<a target="_blank" href="{config.relative_path}/api/admin/users/csv" class="btn btn-primary pull-right">[[admin/manage/users:download-csv]]</a>
 
 					<!-- IF inviteOnly -->
-					<button component="user/invite" class="btn btn-success form-control"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
+					<button component="user/invite" class="btn btn-success pull-right"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
 					<!-- ENDIF inviteOnly -->
 
 					<button id="createUser" class="btn btn-primary pull-right">[[admin/manage/users:new]]</button>

test/user.js

@@ -1405,7 +1405,7 @@ describe('User', function () {
 				username: 'rejectme',
 				password: '123456',
 				'password-confirm': '123456',
-				email: 'reject@me.com',
+				email: '<script>alert("ok");<script>reject@me.com',
 			}, function (err) {
 				assert.ifError(err);
 				helpers.loginUser('admin', '123456', function (err, jar) {
@@ -1413,7 +1413,7 @@ describe('User', function () {
 					request(nconf.get('url') + '/api/admin/manage/registration', { jar: jar, json: true }, function (err, res, body) {
 						assert.ifError(err);
 						assert.equal(body.users[0].username, 'rejectme');
-						assert.equal(body.users[0].email, 'reject@me.com');
+						assert.equal(body.users[0].email, '&lt;script&gt;alert(&quot;ok&quot;);&lt;script&gt;reject@me.com');
 						done();
 					});
 				});
@@ -1600,6 +1600,17 @@ describe('User', function () {
 				});
 			});
 		});
+
+		it('should escape email', function (done) {
+			socketUser.invite({ uid: inviterUid }, '<script>alert("ok");</script>', function (err) {
+				assert.ifError(err);
+				User.getInvites(inviterUid, function (err, data) {
+					assert.ifError(err);
+					assert.equal(data[0], '&lt;script&gt;alert(&quot;ok&quot;);&lt;&#x2F;script&gt;');
+					done();
+				});
+			});
+		});
 	});
 
 	describe('email confirm', function () {