From e3fd4020706ae1e44c92bc3da1b0385d628c503f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Fri, 1 Dec 2017 17:38:02 -0500
Subject: [PATCH] escape email in registration queue and invites

---
 src/user/approval.js             |  2 ++
 src/user/invite.js               | 14 ++++++++++++--
 src/views/admin/manage/users.tpl |  2 +-
 test/user.js                     | 15 +++++++++++++--
 4 files changed, 28 insertions(+), 5 deletions(-)

diff --git a/src/user/approval.js b/src/user/approval.js
index 710b66930a..a42c400109 100644
--- a/src/user/approval.js
+++ b/src/user/approval.js
@@ -4,6 +4,7 @@
 var async = require('async');
 var request = require('request');
 var winston = require('winston');
+var validator = require('validator');
 
 var db = require('../database');
 var meta = require('../meta');
@@ -168,6 +169,7 @@ module.exports = function (User) {
 			function (users, next) {
 				users = users.filter(Boolean).map(function (user, index) {
 					user.timestampISO = utils.toISOString(data[index].score);
+					user.email = validator.escape(String(user.email));
 					delete user.hashedPassword;
 					return user;
 				});
diff --git a/src/user/invite.js b/src/user/invite.js
index d3d7189296..e211a67bc7 100644
--- a/src/user/invite.js
+++ b/src/user/invite.js
@@ -3,6 +3,7 @@
 
 var async = require('async');
 var nconf = require('nconf');
+var validator = require('validator');
 
 var db = require('./../database');
 var meta = require('../meta');
@@ -10,10 +11,19 @@ var emailer = require('../emailer');
 var translator = require('../translator');
 var utils = require('../utils');
 
-
 module.exports = function (User) {
 	User.getInvites = function (uid, callback) {
-		db.getSetMembers('invitation:uid:' + uid, callback);
+		async.waterfall([
+			function (next) {
+				db.getSetMembers('invitation:uid:' + uid, next);
+			},
+			function (emails, next) {
+				emails = emails.map(function (email) {
+					return validator.escape(String(email));
+				});
+				next(null, emails);
+			},
+		], callback);
 	};
 
 	User.getInvitesNumber = function (uid, callback) {
diff --git a/src/views/admin/manage/users.tpl b/src/views/admin/manage/users.tpl
index 6a16141aca..bebded1a5e 100644
--- a/src/views/admin/manage/users.tpl
+++ b/src/views/admin/manage/users.tpl
@@ -28,7 +28,7 @@
 					<a target="_blank" href="{config.relative_path}/api/admin/users/csv" class="btn btn-primary pull-right">[[admin/manage/users:download-csv]]</a>
 
 					<!-- IF inviteOnly -->
-					<button component="user/invite" class="btn btn-success form-control"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
+					<button component="user/invite" class="btn btn-success pull-right"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
 					<!-- ENDIF inviteOnly -->
 
 					<button id="createUser" class="btn btn-primary pull-right">[[admin/manage/users:new]]</button>
diff --git a/test/user.js b/test/user.js
index 0135c339b2..82046c525a 100644
--- a/test/user.js
+++ b/test/user.js
@@ -1405,7 +1405,7 @@ describe('User', function () {
 				username: 'rejectme',
 				password: '123456',
 				'password-confirm': '123456',
-				email: 'reject@me.com',
+				email: '<script>alert("ok");<script>reject@me.com',
 			}, function (err) {
 				assert.ifError(err);
 				helpers.loginUser('admin', '123456', function (err, jar) {
@@ -1413,7 +1413,7 @@ describe('User', function () {
 					request(nconf.get('url') + '/api/admin/manage/registration', { jar: jar, json: true }, function (err, res, body) {
 						assert.ifError(err);
 						assert.equal(body.users[0].username, 'rejectme');
-						assert.equal(body.users[0].email, 'reject@me.com');
+						assert.equal(body.users[0].email, '&lt;script&gt;alert(&quot;ok&quot;);&lt;script&gt;reject@me.com');
 						done();
 					});
 				});
@@ -1600,6 +1600,17 @@ describe('User', function () {
 				});
 			});
 		});
+
+		it('should escape email', function (done) {
+			socketUser.invite({ uid: inviterUid }, '<script>alert("ok");</script>', function (err) {
+				assert.ifError(err);
+				User.getInvites(inviterUid, function (err, data) {
+					assert.ifError(err);
+					assert.equal(data[0], '&lt;script&gt;alert(&quot;ok&quot;);&lt;&#x2F;script&gt;');
+					done();
+				});
+			});
+		});
 	});
 
 	describe('email confirm', function () {