diff --git a/src/controllers/accounts.js b/src/controllers/accounts.js index 78629b50cc..f21aff3f85 100644 --- a/src/controllers/accounts.js +++ b/src/controllers/accounts.js @@ -89,10 +89,17 @@ function getUserDataByUserSlug(userslug, callerUID, callback) { userData.profile_links = results.profile_links; userData.status = require('../socket.io').isUserOnline(userData.uid) ? (userData.status || 'online') : 'offline'; userData.banned = parseInt(userData.banned, 10) === 1; - userData.websiteName = userData.website.replace(validator.escape('http://'), '').replace(validator.escape('https://'), ''); + userData.websiteName = userData.website.replace('http://', '').replace('https://', ''); userData.followingCount = parseInt(userData.followingCount, 10) || 0; userData.followerCount = parseInt(userData.followerCount, 10) || 0; + userData.username = validator.escape(userData.username); + userData.email = validator.escape(userData.email); + userData.fullname = validator.escape(userData.fullname); + userData.websiteName = validator.escape(userData.websiteName); + userData.location = validator.escape(userData.location); + userData.signature = validator.escape(userData.signature); + callback(null, userData); }); }); diff --git a/src/user/profile.js b/src/user/profile.js index 1eb66893ca..4961c1d13d 100644 --- a/src/user/profile.js +++ b/src/user/profile.js @@ -111,7 +111,6 @@ module.exports = function(User) { } data[field] = data[field].trim(); - data[field] = validator.escape(data[field]); if (field === 'email') { return updateEmail(uid, data.email, next); @@ -122,8 +121,8 @@ module.exports = function(User) { } else if (field === 'signature') { data[field] = S(data[field]).stripTags().s; } else if (field === 'website') { - if (!data[field].startsWith(validator.escape('http://')) && !data[field].startsWith(validator.escape('https://'))) { - data[field] = validator.escape('http://') + data[field]; + if (!data[field].startsWith('http://') && !data[field].startsWith('https://')) { + data[field] = 'http://' + data[field]; } }