fix: #8179, limit length of location/website/fullname, check grouptitle

2026-01-01 21:30:30 +01:00 · 2020-02-24 16:58:51 -05:00
parent 307c72a58b
commit 14e7866745
1 changed files with 26 additions and 4 deletions
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -111,6 +111,9 @@ module.exports = function (User) {
 		if (!data.website) {
 			return;
 		}
+		if (data.website.length > 255) {
+			throw new Error('[[error:invalid-website]]');
+		}
 		await User.checkMinReputation(callerUid, data.uid, 'min:rep:website');
 	}

@@ -136,13 +139,13 @@ module.exports = function (User) {
 	}

 	function isFullnameValid(data) {
-		if (data.fullname && validator.isURL(data.fullname)) {
+		if (data.fullname && (validator.isURL(data.fullname) || data.fullname.length > 255)) {
 			throw new Error('[[error:invalid-fullname]]');
 		}
 	}

 	function isLocationValid(data) {
-		if (data.location && validator.isURL(data.location)) {
+		if (data.location && (validator.isURL(data.location) || data.location.length > 255)) {
 			throw new Error('[[error:invalid-location]]');
 		}
 	}
@@ -159,8 +162,27 @@ module.exports = function (User) {
 	}

 	function isGroupTitleValid(data) {
-		if (data.groupTitle === 'registered-users' || groups.isPrivilegeGroup(data.groupTitle)) {
-			throw new Error('[[error:invalid-group-title]]');
+		function checkTitle(title) {
+			if (title === 'registered-users' || groups.isPrivilegeGroup(title)) {
+				throw new Error('[[error:invalid-group-title]]');
+			}
+		}
+		if (!data.groupTitle) {
+			return;
+		}
+		let groupTitles = [];
+		if (validator.isJSON(data.groupTitle)) {
+			groupTitles = JSON.parse(data.groupTitle);
+			if (!Array.isArray(groupTitles)) {
+				throw new Error('[[error:invalid-group-title]]');
+			}
+			groupTitles.forEach(title => checkTitle(title));
+		} else {
+			groupTitles = [data.groupTitle];
+			checkTitle(data.groupTitle);
+		}
+		if (!meta.config.allowMultipleBadges && groupTitles.length > 1) {
+			data.groupTitle = JSON.stringify(groupTitles[0]);
 		}
 	}