Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 16:46:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: escape navigation item fields, theme:id, category fields

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2020-06-26 15:19:18 -04:00
parent 903673d24c
commit 2355d9d5dd
7 changed files with 32 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
public/src/admin/settings/navigation.js
View File

@@ -8,19 +8,12 @@ define('admin/settings/navigation', ['translator', 'iconSelect', 'benchpress', '
navigation.init = function () { navigation.init = function () {
available = ajaxify.data.available; available = ajaxify.data.available;
$('#enabled .unescape').each(function () { $('#available').find('li .drag-item').draggable({
$(this).val(translator.unescape($(this).val()));
});
translator.translate($('#available').html(), function (html) {
$('#available').html(translator.unescape(html))
.find('li .drag-item').draggable({
connectToSortable: '#active-navigation', connectToSortable: '#active-navigation',
helper: 'clone', helper: 'clone',
distance: 10, distance: 10,
stop: drop, stop: drop,
}); });
});
$('#active-navigation').sortable().droppable({ $('#active-navigation').sortable().droppable({
accept: $('#available li .drag-item'), accept: $('#available li .drag-item'),
@@ -112,7 +105,7 @@ define('admin/settings/navigation', ['translator', 'iconSelect', 'benchpress', '
} }
data[input.name].push(input.value); data[input.name].push(input.value);
} else { } else {
data[input.name] = translator.escape(input.value); data[input.name] = input.value;
} }
}); });

7
src/categories/data.js
View File

@@ -76,9 +76,12 @@ function modifyCategory(category, fields) {
db.parseIntFields(category, intFields, fields); db.parseIntFields(category, intFields, fields);
if (category.hasOwnProperty('name')) { const escapeFields = ['name', 'color', 'bgColor', 'imageClass', 'class', 'link'];
category.name = validator.escape(String(category.name || '')); escapeFields.forEach((field) => {
if (category.hasOwnProperty(field)) {
category[field] = validator.escape(String(category[field] || ''));
} }
});
if (category.hasOwnProperty('icon')) { if (category.hasOwnProperty('icon')) {
category.icon = category.icon || 'hidden'; category.icon = category.icon || 'hidden';

4
src/controllers/admin/settings.js
View File

@@ -10,6 +10,7 @@ const navigationAdmin = require('../../navigation/admin');
const social = require('../../social'); const social = require('../../social');
const helpers = require('../helpers'); const helpers = require('../helpers');
const translator = require('../../../public/src/modules/translator');
const settingsController = module.exports; const settingsController = module.exports;
settingsController.get = async function (req, res) { settingsController.get = async function (req, res) {
@@ -104,7 +105,8 @@ settingsController.navigation = async function (req, res) {
admin.enabled.forEach(function (enabled, index) { admin.enabled.forEach(function (enabled, index) {
enabled.index = index; enabled.index = index;
enabled.selected = index === 0; enabled.selected = index === 0;
enabled.title = translator.escape(enabled.title);
enabled.text = translator.escape(enabled.text);
enabled.groups = admin.groups.map(function (group) { enabled.groups = admin.groups.map(function (group) {
return { return {
displayName: group.displayName, displayName: group.displayName,

7
src/meta/themes.js
View File

@@ -90,7 +90,12 @@ Themes.set = async (data) => {
case 'local': { case 'local': {
const current = await Meta.configs.get('theme:id'); const current = await Meta.configs.get('theme:id');
if (current !== data.id) { if (current !== data.id) {
let config = await fsReadfile(path.join(nconf.get('themes_path'), data.id, 'theme.json'), 'utf8'); const pathToThemeJson = path.join(nconf.get('themes_path'), data.id, 'theme.json');
if (!pathToThemeJson.startsWith(nconf.get('themes_path'))) {
throw new Error('[[error:invalid-theme-id]]');
}
let config = await fsReadfile(pathToThemeJson, 'utf8');
config = JSON.parse(config); config = JSON.parse(config);
await db.sortedSetRemove('plugins:active', current); await db.sortedSetRemove('plugins:active', current);

3
src/middleware/header.js
View File

@@ -3,6 +3,7 @@
var nconf = require('nconf'); var nconf = require('nconf');
var jsesc = require('jsesc'); var jsesc = require('jsesc');
var _ = require('lodash'); var _ = require('lodash');
const validator = require('validator');
var util = require('util'); var util = require('util');
var db = require('../database'); var db = require('../database');
@@ -121,7 +122,7 @@ module.exports = function (middleware) {
const tidsByFilter = results.unreadData.tidsByFilter; const tidsByFilter = results.unreadData.tidsByFilter;
results.navigation = results.navigation.map(function (item) { results.navigation = results.navigation.map(function (item) {
function modifyNavItem(item, route, filter, content) { function modifyNavItem(item, route, filter, content) {
if (item && item.originalRoute === route) { if (item && validator.unescape(item.originalRoute) === route) {
unreadData[filter] = _.zipObject(tidsByFilter[filter], tidsByFilter[filter].map(() => true)); unreadData[filter] = _.zipObject(tidsByFilter[filter], tidsByFilter[filter].map(() => true));
item.content = content; item.content = content;
if (unreadCounts[filter] > 0) { if (unreadCounts[filter] > 0) {

15
src/navigation/admin.js
View File

@@ -1,10 +1,10 @@
'use strict'; 'use strict';
const _ = require('lodash'); const _ = require('lodash');
const validator = require('validator');
const plugins = require('../plugins'); const plugins = require('../plugins');
const db = require('../database'); const db = require('../database');
const translator = require('../translator');
const pubsub = require('../pubsub'); const pubsub = require('../pubsub');
const admin = module.exports; const admin = module.exports;
@@ -17,11 +17,6 @@ pubsub.on('admin:navigation:save', function () {
admin.save = async function (data) { admin.save = async function (data) {
const order = Object.keys(data); const order = Object.keys(data);
const items = data.map(function (item, index) { const items = data.map(function (item, index) {
for (var i in item) {
if (item.hasOwnProperty(i) && typeof item[i] === 'string' && (i === 'title' || i === 'text')) {
item[i] = translator.escape(item[i]);
}
}
item.order = order[index]; item.order = order[index];
return JSON.stringify(item); return JSON.stringify(item);
}); });
@@ -45,8 +40,16 @@ admin.get = async function () {
return _.cloneDeep(cache); return _.cloneDeep(cache);
} }
const data = await db.getSortedSetRange('navigation:enabled', 0, -1); const data = await db.getSortedSetRange('navigation:enabled', 0, -1);
const escapeFields = ['iconClass', 'class', 'route', 'id', 'text', 'textClass', 'title'];
cache = data.map(function (item) { cache = data.map(function (item) {
item = JSON.parse(item); item = JSON.parse(item);
escapeFields.forEach((field) => {
if (item.hasOwnProperty(field)) {
item[field] = validator.escape(String(item[field]));
}
});
item.groups = item.groups || []; item.groups = item.groups || [];
if (item.groups && !Array.isArray(item.groups)) { if (item.groups && !Array.isArray(item.groups)) {
item.groups = [item.groups]; item.groups = [item.groups];

5
src/navigation/index.js
View File

@@ -2,7 +2,6 @@
const nconf = require('nconf'); const nconf = require('nconf');
const admin = require('./admin'); const admin = require('./admin');
const translator = require('../translator');
const groups = require('../groups'); const groups = require('../groups');
const navigation = module.exports; const navigation = module.exports;
@@ -17,10 +16,6 @@ navigation.get = async function (uid) {
item.route = nconf.get('relative_path') + item.route; item.route = nconf.get('relative_path') + item.route;
} }
Object.keys(item).forEach(function (key) {
item[key] = translator.unescape(item[key]);
});
return item; return item;
}); });