From f68bce86a93499ef3b44301df3929cdd4c70fe99 Mon Sep 17 00:00:00 2001
From: Julian Lam <julian@nodebb.org>
Date: Thu, 5 Nov 2020 19:18:17 -0500
Subject: [PATCH] fix: XSS in event:banned messaging modal

---
 src/api/users.js | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/src/api/users.js b/src/api/users.js
index 5d04a88406..e9cd6dea2c 100644
--- a/src/api/users.js
+++ b/src/api/users.js
@@ -1,5 +1,7 @@
 'use strict';
 
+const validator = require('validator');
+
 const db = require('../database');
 const user = require('../user');
 const groups = require('../groups');
@@ -163,7 +165,7 @@ usersAPI.ban = async function (caller, data) {
 
 	sockets.in('uid_' + data.uid).emit('event:banned', {
 		until: data.until,
-		reason: data.reason,
+		reason: validator.escape(String(data.reason || '')),
 	});
 
 	await flags.resolveFlag('user', data.uid, caller.uid);