escape history data, hide moderation note in api

src/controllers/accounts/helpers.js

@@ -87,6 +87,10 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) {
 				userData.ips = results.ips;
 			}
 
+			if (!isAdmin && !isGlobalModerator) {
+				userData.moderationNote = undefined;
+			}
+
 			userData.uid = userData.uid;
 			userData.yourid = callerUID;
 			userData.theirid = userData.uid;
@@ -120,6 +124,7 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) {
 			userData.signature = validator.escape(String(userData.signature || ''));
 			userData.aboutme = validator.escape(String(userData.aboutme || ''));
 			userData.birthday = validator.escape(String(userData.birthday || ''));
+			userData.moderationNote = validator.escape(String(userData.moderationNote || ''));
 
 			userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid);
 			userData['cover:position'] = userData['cover:position'] || '50% 50%';

src/controllers/accounts/info.js

@@ -22,8 +22,8 @@ infoController.get = function(req, res, callback) {
 			async.parallel({
 				history: async.apply(user.getModerationHistory, userData.uid),
 				sessions: async.apply(user.auth.getSessions, userData.uid, req.sessionID),
-				usernames: async.apply(user.getUsernameHistory, userData.uid),
-				emails: async.apply(user.getEmailHistory, userData.uid)
+				usernames: async.apply(user.getHistory, 'user:' + userData.uid + ':usernames'),
+				emails: async.apply(user.getHistory, 'user:' + userData.uid + ':emails')
 			}, next);
 		}
 	], function(err, data) {

src/middleware/header.js

@@ -120,7 +120,7 @@ module.exports = function(middleware) {
 			results.user.isAdmin = results.isAdmin;
 			results.user.isGlobalMod = results.isGlobalMod;
 			results.user.uid = parseInt(results.user.uid, 10);
-			results.user.email = String(results.user.email).replace(/\\/g, '\\\\');
+			results.user.email = String(results.user.email).replace(/\\/g, '\\\\').replace(/"/g, '\\"');
 			results.user['email:confirmed'] = parseInt(results.user['email:confirmed'], 10) === 1;
 			results.user.isEmailConfirmSent = !!results.isEmailConfirmSent;
 

src/user/info.js

@@ -61,24 +61,15 @@ module.exports = function(User) {
 		});
 	};
 
-	User.getEmailHistory = function(uid, callback) {
-		db.getSortedSetRevRangeWithScores('user:' + uid + ':emails', 0, -1, function(err, data) {
-			callback(err, data.map(function(set) {
+	User.getHistory = function(set, callback) {
+		db.getSortedSetRevRangeWithScores(set, 0, -1, function(err, data) {
+			if (err) {
+				return callback(err);
+			}
+			callback(null, data.map(function(set) {
 				set.timestamp = set.score;
 				set.timestampISO = new Date(set.score).toISOString();
-				set.value = set.value.split(':')[0];
-				delete set.score;
-				return set;
-			}));
-		});
-	};
-
-	User.getUsernameHistory = function(uid, callback) {
-		db.getSortedSetRevRangeWithScores('user:' + uid + ':usernames', 0, -1, function(err, data) {
-			callback(err, data.map(function(set) {
-				set.timestamp = set.score;
-				set.timestampISO = new Date(set.score).toISOString();
-				set.value = set.value.split(':')[0];
+				set.value = validator.escape(String(set.value.split(':')[0]));
 				delete set.score;
 				return set;
 			}));