make sure validator.escape() receives strings only

2025-10-28 01:26:16 +01:00 · 2016-08-27 15:45:15 +03:00
parent 431e7dd987
commit 07fe5057e1
20 changed files with 34 additions and 34 deletions
--- a/src/categories/data.js
+++ b/src/categories/data.js
@@ -42,7 +42,7 @@ module.exports = function(Categories) {
 			return;
 		}

-		category.name = validator.escape(category.name || '');
+		category.name = validator.escape(String(category.name || ''));
 		category.disabled = category.hasOwnProperty('disabled') ? parseInt(category.disabled, 10) === 1 : undefined;
 		category.icon = category.icon || 'hidden';
 		if (category.hasOwnProperty('post_count')) {
@@ -58,7 +58,7 @@ module.exports = function(Categories) {
 		}

 		if (category.description) {
-			category.description = validator.escape(category.description);
+			category.description = validator.escape(String(category.description));
 			category.descriptionParsed = category.descriptionParsed || category.description;
 		}
 	}
--- a/src/categories/recentreplies.js
+++ b/src/categories/recentreplies.js
@@ -137,7 +137,7 @@ module.exports = function(Categories) {
 						teaser.tid = teaser.uid = teaser.user.uid = undefined;
 						teaser.topic = {
 							slug: topicData[index].slug,
-							title: validator.escape(topicData[index].title)
+							title: validator.escape(String(topicData[index].title))
 						};
 					}
 				});
--- a/src/controllers/accounts/helpers.js
+++ b/src/controllers/accounts/helpers.js
@@ -98,17 +98,17 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) {
 			userData.sso = results.sso.associations;
 			userData.status = user.getStatus(userData);
 			userData.banned = parseInt(userData.banned, 10) === 1;
-			userData.website = validator.escape(userData.website || '');
+			userData.website = validator.escape(String(userData.website || ''));
 			userData.websiteLink = !userData.website.startsWith('http') ? 'http://' + userData.website : userData.website;
 			userData.websiteName = userData.website.replace(validator.escape('http://'), '').replace(validator.escape('https://'), '');
 			userData.followingCount = parseInt(userData.followingCount, 10) || 0;
 			userData.followerCount = parseInt(userData.followerCount, 10) || 0;

-			userData.email = validator.escape(userData.email || '');
-			userData.fullname = validator.escape(userData.fullname || '');
-			userData.location = validator.escape(userData.location || '');
-			userData.signature = validator.escape(userData.signature || '');
-			userData.aboutme = validator.escape(userData.aboutme || '');
+			userData.email = validator.escape(String(userData.email || ''));
+			userData.fullname = validator.escape(String(userData.fullname || ''));
+			userData.location = validator.escape(String(userData.location || ''));
+			userData.signature = validator.escape(String(userData.signature || ''));
+			userData.aboutme = validator.escape(String(userData.aboutme || ''));

 			userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid);
 			userData['cover:position'] = userData['cover:position'] || '50% 50%';
--- a/src/controllers/api.js
+++ b/src/controllers/api.js
@@ -22,8 +22,8 @@ apiController.getConfig = function(req, res, next) {
 	config.environment = process.env.NODE_ENV;
 	config.relative_path = nconf.get('relative_path');
 	config.version = nconf.get('version');
-	config.siteTitle = validator.escape(meta.config.title || meta.config.browserTitle || 'NodeBB');
-	config.browserTitle = validator.escape(meta.config.browserTitle || meta.config.title || 'NodeBB');
+	config.siteTitle = validator.escape(String(meta.config.title || meta.config.browserTitle || 'NodeBB'));
+	config.browserTitle = validator.escape(String(meta.config.browserTitle || meta.config.title || 'NodeBB'));
 	config.titleLayout = (meta.config.titleLayout || '{pageTitle} | {browserTitle}').replace(/{/g, '&#123;').replace(/}/g, '&#125;');
 	config.showSiteTitle = parseInt(meta.config.showSiteTitle, 10) === 1;
 	config.minimumTitleLength = meta.config.minimumTitleLength;
@@ -53,7 +53,7 @@ apiController.getConfig = function(req, res, next) {
 	config['theme:id'] = meta.config['theme:id'];
 	config['theme:src'] = meta.config['theme:src'];
 	config.defaultLang = meta.config.defaultLang || 'en_GB';
-	config.userLang = req.query.lang ? validator.escape(req.query.lang) : config.defaultLang;
+	config.userLang = req.query.lang ? validator.escape(String(req.query.lang)) : config.defaultLang;
 	config.loggedIn = !!req.user;
 	config['cache-buster'] = meta.config['cache-buster'] || '';
 	config.requireEmailConfirmation = parseInt(meta.config.requireEmailConfirmation, 10) === 1;
@@ -76,7 +76,7 @@ apiController.getConfig = function(req, res, next) {
 				config.topicsPerPage = settings.topicsPerPage;
 				config.postsPerPage = settings.postsPerPage;
 				config.notificationSounds = settings.notificationSounds;
-				config.userLang = (req.query.lang ? validator.escape(req.query.lang) : null) || settings.userLang || config.defaultLang;
+				config.userLang = (req.query.lang ? validator.escape(String(req.query.lang)) : null) || settings.userLang || config.defaultLang;
 				config.openOutgoingLinksInNewTab = settings.openOutgoingLinksInNewTab;
 				config.topicPostSort = settings.topicPostSort || config.topicPostSort;
 				config.categoryTopicSort = settings.categoryTopicSort || config.categoryTopicSort;
--- a/src/controllers/categories.js
+++ b/src/controllers/categories.js
@@ -13,10 +13,10 @@ var categoriesController = {};
 categoriesController.list = function(req, res, next) {
 	res.locals.metaTags = [{
 		name: "title",
-		content: validator.escape(meta.config.title || 'NodeBB')
+		content: validator.escape(String(meta.config.title || 'NodeBB'))
 	}, {
 		name: "description",
-		content: validator.escape(meta.config.description || '')
+		content: validator.escape(String(meta.config.description || ''))
 	}, {
 		property: 'og:title',
 		content: '[[pages:categories]]'
--- a/src/controllers/groups.js
+++ b/src/controllers/groups.js
@@ -119,7 +119,7 @@ groupsController.members = function(req, res, next) {

 		var breadcrumbs = helpers.buildBreadcrumbs([
 			{text: '[[pages:groups]]', url: '/groups' },
-			{text: validator.escape(groupName), url: '/groups/' + req.params.slug},
+			{text: validator.escape(String(groupName)), url: '/groups/' + req.params.slug},
 			{text: '[[groups:details.members]]'}
 		]);

--- a/src/controllers/helpers.js
+++ b/src/controllers/helpers.js
@@ -67,7 +67,7 @@ helpers.buildCategoryBreadcrumbs = function(cid, callback) {

 			if (!parseInt(data.disabled, 10)) {
 				breadcrumbs.unshift({
-					text: validator.escape(data.name),
+					text: validator.escape(String(data.name)),
 					url: nconf.get('relative_path') + '/category/' + data.slug
 				});
 			}
@@ -119,7 +119,7 @@ helpers.buildBreadcrumbs = function(crumbs) {
 helpers.buildTitle = function(pageTitle) {
 	var titleLayout = meta.config.titleLayout || '{pageTitle} | {browserTitle}';

-	var browserTitle = validator.escape(meta.config.browserTitle || meta.config.title || 'NodeBB');
+	var browserTitle = validator.escape(String(meta.config.browserTitle || meta.config.title || 'NodeBB'));
 	pageTitle = pageTitle || '';
 	var title = titleLayout.replace('{pageTitle}', function() {
 		return pageTitle;
--- a/src/controllers/tags.js
+++ b/src/controllers/tags.js
@@ -13,7 +13,7 @@ var helpers =  require('./helpers');
 var tagsController = {};

 tagsController.getTag = function(req, res, next) {
-	var tag = validator.escape(req.params.tag);
+	var tag = validator.escape(String(req.params.tag));
 	var page = parseInt(req.query.page, 10) || 1;

 	var templateData = {
--- a/src/messaging/rooms.js
+++ b/src/messaging/rooms.js
@@ -15,7 +15,7 @@ module.exports = function(Messaging) {
 			}
 			data.roomName = data.roomName || '[[modules:chat.roomname, ' + roomId + ']]';
 			if (data.roomName) {
-				data.roomName = validator.escape(data.roomName);
+				data.roomName = validator.escape(String(data.roomName));
 			}
 			callback(null, data);
 		});
--- a/src/meta/tags.js
+++ b/src/meta/tags.js
@@ -97,7 +97,7 @@ module.exports = function(Meta) {
 				}

 				if (!tag.noEscape) {
-					tag.content = validator.escape(tag.content);
+					tag.content = validator.escape(String(tag.content));
 				}

 				return tag;
@@ -125,7 +125,7 @@ module.exports = function(Meta) {
 		if (!hasDescription) {
 			meta.push({
 				name: 'description',
-				content: validator.escape(Meta.config.description || '')
+				content: validator.escape(String(Meta.config.description || ''))
 			});
 		}
 	}
--- a/src/middleware/header.js
+++ b/src/middleware/header.js
@@ -30,7 +30,7 @@ module.exports = function(middleware) {
 				footer: function(next) {
 					req.app.render('footer', {
 						loggedIn: !!req.uid,
-						title: validator.escape(meta.config.title || meta.config.browserTitle || 'NodeBB')
+						title: validator.escape(String(meta.config.title || meta.config.browserTitle || 'NodeBB'))
 					}, next);
 				},
 				plugins: function(next) {
--- a/src/middleware/render.js
+++ b/src/middleware/render.js
@@ -81,7 +81,7 @@ module.exports = function(middleware) {
 							}
 							str = template + str;
 							var language = res.locals.config ? res.locals.config.userLang || 'en_GB' : 'en_GB';
-							language = req.query.lang ? validator.escape(req.query.lang) : language;
+							language = req.query.lang ? validator.escape(String(req.query.lang)) : language;
 							translator.translate(str, language, function(translated) {
 								translated = translator.unescape(translated);
 								translated = translated + '<script id="ajaxify-data" type="application/json">' + ajaxifyData + '</script>';
--- a/src/posts/edit.js
+++ b/src/posts/edit.js
@@ -141,7 +141,7 @@ module.exports = function(Posts) {
 						tid: tid,
 						cid: results.topic.cid,
 						uid: postData.uid,
-						title: validator.escape(title),
+						title: validator.escape(String(title)),
 						oldTitle: results.topic.title,
 						slug: topicData.slug,
 						isMainPost: true,
--- a/src/posts/user.js
+++ b/src/posts/user.js
@@ -52,8 +52,8 @@ module.exports = function(Posts) {
 				userData.banned = parseInt(userData.banned, 10) === 1;
 				userData.picture = userData.picture || '';
 				userData.status = user.getStatus(userData);
-				userData.signature = validator.escape(userData.signature || '');
-				userData.fullname = validator.escape(userData.fullname || '');
+				userData.signature = validator.escape(String(userData.signature || ''));
+				userData.fullname = validator.escape(String(userData.fullname || ''));
 			});

 			async.map(userData, function(userData, next) {
--- a/src/search.js
+++ b/src/search.js
@@ -34,7 +34,7 @@ search.search = function(data, callback) {
 			}
 		},
 		function (result, next) {
-			result.search_query = validator.escape(data.query || '');
+			result.search_query = validator.escape(String(data.query || ''));
 			result.time = (process.elapsedTimeSince(start) / 1000).toFixed(2);
 			next(null, result);
 		}
--- a/src/socket.io/admin/rooms.js
+++ b/src/socket.io/admin/rooms.js
@@ -107,7 +107,7 @@ SocketRooms.getAll = function(socket, data, callback) {
 		topTenTopics.forEach(function(topic, index) {
 			totals.topics[topic.tid] = {
 				value: topic.count || 0,
-				title: validator.escape(titles[index].title)
+				title: validator.escape(String(titles[index].title))
 			};
 		});

--- a/src/socket.io/modules.js
+++ b/src/socket.io/modules.js
@@ -280,7 +280,7 @@ SocketModules.chats.renameRoom = function(socket, data, callback) {
 			Messaging.getUidsInRoom(data.roomId, 0, -1, next);
 		},
 		function (uids, next) {
-			var eventData = {roomId: data.roomId, newName: validator.escape(data.newName)};
+			var eventData = {roomId: data.roomId, newName: validator.escape(String(data.newName))};
 			uids.forEach(function(uid) {
 				server.in('uid_' + uid).emit('event:chats.roomRename', eventData);
 			});
--- a/src/topics/create.js
+++ b/src/topics/create.js
@@ -301,7 +301,7 @@ module.exports = function(Topics) {

 				// Username override for guests, if enabled
 				if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postData.uid, 10) === 0 && data.handle) {
-					postData.user.username = validator.escape(data.handle);
+					postData.user.username = validator.escape(String(data.handle));
 				}

 				postData.favourited = false;
@@ -312,7 +312,7 @@ module.exports = function(Topics) {
 				postData.display_move_tools = true;
 				postData.selfPost = false;
 				postData.timestampISO = utils.toISOString(postData.timestamp);
-				postData.topic.title = validator.escape(postData.topic.title);
+				postData.topic.title = validator.escape(String(postData.topic.title));

 				next(null, postData);
 			}
--- a/src/topics/posts.js
+++ b/src/topics/posts.js
@@ -128,7 +128,7 @@ module.exports = function(Topics) {

 					// Username override for guests, if enabled
 					if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postObj.uid, 10) === 0 && postObj.handle) {
-						postObj.user.username = validator.escape(postObj.handle);
+						postObj.user.username = validator.escape(String(postObj.handle));
 					}
 				}
 			});
--- a/src/user/create.js
+++ b/src/user/create.js
@@ -14,7 +14,7 @@ module.exports = function(User) {
 		data.username = data.username.trim();
 		data.userslug = utils.slugify(data.username);
 		if (data.email !== undefined) {
-			data.email = validator.escape(data.email.trim());
+			data.email = validator.escape(String(data.email).trim());
 		}

 		User.isDataValid(data, function(err) {