fix xss on guest handles, make sure guest handlers arent longer than max username length

2025-11-02 20:16:04 +01:00 · 2015-04-13 13:04:47 -04:00
parent cf825d02b7
commit 1910fdb977
2 changed files with 20 additions and 2 deletions
--- a/src/topics/posts.js
+++ b/src/topics/posts.js
@@ -5,6 +5,7 @@
 var async = require('async'),
 	winston = require('winston'),
 	_ = require('underscore'),
+	validator = require('validator'),

 	db = require('../database'),
 	user = require('../user'),
@@ -141,7 +142,7 @@ module.exports = function(Topics) {

 					// Username override for guests, if enabled
 					if (parseInt(meta.config.allowGuestHandles, 10) === 1 && parseInt(postObj.uid, 10) === 0 && postObj.handle) {
-						postObj.user.username = postObj.handle;
+						postObj.user.username = validator.escape(postObj.handle);
 					}
 				}
 			});