Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: escape flag filters

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2025-05-12 09:30:33 -04:00
parent 31be083e86
commit 285d438cb3
2 changed files with 10 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/controllers/mods.js
View File

@@ -1,6 +1,7 @@
'use strict'; 'use strict';
const _ = require('lodash'); const _ = require('lodash');
const validator = require('validator');
const user = require('../user'); const user = require('../user');
const groups = require('../groups'); const groups = require('../groups');
@@ -43,9 +44,9 @@ modsController.flags.list = async function (req, res) {
filters = filters.reduce((memo, cur) => { filters = filters.reduce((memo, cur) => {
if (req.query.hasOwnProperty(cur)) { if (req.query.hasOwnProperty(cur)) {
if (typeof req.query[cur] === 'string' && req.query[cur].trim() !== '') { if (typeof req.query[cur] === 'string' && req.query[cur].trim() !== '') {
memo[cur] = req.query[cur].trim(); memo[cur] = validator.escape(String(req.query[cur].trim()));
} else if (Array.isArray(req.query[cur]) && req.query[cur].length) { } else if (Array.isArray(req.query[cur]) && req.query[cur].length) {
memo[cur] = req.query[cur]; memo[cur] = req.query[cur].map(item => validator.escape(String(item).trim()));
} }
} }

7
test/flags.js
View File

@@ -928,6 +928,11 @@ describe('Flags', () => {
assert.strictEqual(flagData.reports[0].value, '"<script>alert('ok');</script>'); assert.strictEqual(flagData.reports[0].value, '"<script>alert('ok');</script>');
}); });
it('should escape filters', async () => {
const { body } = await request.get(`${nconf.get('url')}/api/flags?quick="<script>alert('foo');</script>`, { jar });
assert.strictEqual(body.filters.quick, '&quot;&lt;script&gt;alert(&#x27;foo&#x27;);&lt;&#x2F;script&gt;');
});
it('should not allow flagging post in private category', async () => { it('should not allow flagging post in private category', async () => {
const category = await Categories.create({ name: 'private category' }); const category = await Categories.create({ name: 'private category' });
@@ -1185,5 +1190,7 @@ describe('Flags', () => {
} }
}); });
}); });
}); });
}); });