Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-03 04:25:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

escape labelColor, icon, cover:position, validate toPid

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2016-12-17 16:00:39 +03:00
parent a043876d00
commit 4ff3d06f90
5 changed files with 26 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
public/src/modules/iconSelect.js
View File

@@ -7,13 +7,17 @@ define('iconSelect', function () {
iconSelect.init = function (el, onModified) { iconSelect.init = function (el, onModified) {
onModified = onModified || function () {}; onModified = onModified || function () {};
var doubleSize = el.hasClass('fa-2x'), var doubleSize = el.hasClass('fa-2x');
selected = el.attr('class').replace('fa-2x', '').replace('fa', '').replace(/\s+/g, ''); var selected = el.attr('class').replace('fa-2x', '').replace('fa', '').replace(/\s+/g, '');
$('#icons .selected').removeClass('selected'); $('#icons .selected').removeClass('selected');
if (selected) { if (selected) {
$('#icons .fa-icons .fa.' + selected).addClass('selected'); try {
$('#icons .fa-icons .fa.' + selected).addClass('selected');
} catch (err) {
selected = '';
}
} }
templates.parse('partials/fontawesome', {}, function (html) { templates.parse('partials/fontawesome', {}, function (html) {

2
src/controllers/accounts/helpers.js
View File

@@ -139,7 +139,7 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
userData.moderationNote = validator.escape(String(userData.moderationNote || '')); userData.moderationNote = validator.escape(String(userData.moderationNote || ''));
userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid); userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid);
userData['cover:position'] = userData['cover:position'] || '50% 50%'; userData['cover:position'] = validator.escape(String(userData['cover:position'] || '50% 50%'));
userData['username:disableEdit'] = !userData.isAdmin && parseInt(meta.config['username:disableEdit'], 10) === 1; userData['username:disableEdit'] = !userData.isAdmin && parseInt(meta.config['username:disableEdit'], 10) === 1;
userData['email:disableEdit'] = !userData.isAdmin && parseInt(meta.config['email:disableEdit'], 10) === 1; userData['email:disableEdit'] = !userData.isAdmin && parseInt(meta.config['email:disableEdit'], 10) === 1;

9
src/groups.js
View File

@@ -157,7 +157,9 @@ var utils = require('../public/src/utils');
} }
results.base['cover:url'] = results.base['cover:url'] || require('./coverPhoto').getDefaultGroupCover(groupName); results.base['cover:url'] = results.base['cover:url'] || require('./coverPhoto').getDefaultGroupCover(groupName);
results.base['cover:position'] = results.base['cover:position'] || '50% 50%'; results.base['cover:position'] = validator.escape(String(results.base['cover:position'] || '50% 50%'));
results.base.labelColor = validator.escape(String(results.base.labelColor || '#000000'));
results.base.icon = validator.escape(String(results.base.icon || ''));
plugins.fireHook('filter:parse.raw', results.base.description, function (err, descriptionParsed) { plugins.fireHook('filter:parse.raw', results.base.description, function (err, descriptionParsed) {
if (err) { if (err) {
@@ -400,7 +402,8 @@ var utils = require('../public/src/utils');
if (group) { if (group) {
Groups.escapeGroupData(group); Groups.escapeGroupData(group);
group.userTitleEnabled = group.userTitleEnabled ? parseInt(group.userTitleEnabled, 10) === 1 : true; group.userTitleEnabled = group.userTitleEnabled ? parseInt(group.userTitleEnabled, 10) === 1 : true;
group.labelColor = group.labelColor || '#000000'; group.labelColor = validator.escape(String(group.labelColor || '#000000'));
group.icon = validator.escape(String(group.icon || ''));
group.createtimeISO = utils.toISOString(group.createtime); group.createtimeISO = utils.toISOString(group.createtime);
group.hidden = parseInt(group.hidden, 10) === 1; group.hidden = parseInt(group.hidden, 10) === 1;
group.system = parseInt(group.system, 10) === 1; group.system = parseInt(group.system, 10) === 1;
@@ -409,7 +412,7 @@ var utils = require('../public/src/utils');
group['cover:url'] = group['cover:url'] || require('./coverPhoto').getDefaultGroupCover(group.name); group['cover:url'] = group['cover:url'] || require('./coverPhoto').getDefaultGroupCover(group.name);
group['cover:thumb:url'] = group['cover:thumb:url'] || group['cover:url']; group['cover:thumb:url'] = group['cover:thumb:url'] || group['cover:url'];
group['cover:position'] = group['cover:position'] || '50% 50%'; group['cover:position'] = validator.escape(String(group['cover:position'] || '50% 50%'));
} }
}); });

6
src/posts/create.js
View File

@@ -9,7 +9,7 @@ var plugins = require('../plugins');
var user = require('../user'); var user = require('../user');
var topics = require('../topics'); var topics = require('../topics');
var categories = require('../categories'); var categories = require('../categories');
var utils = require('../../public/src/utils');
module.exports = function (Posts) { module.exports = function (Posts) {
@@ -24,6 +24,10 @@ module.exports = function (Posts) {
return callback(new Error('[[error:invalid-uid]]')); return callback(new Error('[[error:invalid-uid]]'));
} }
if (data.toPid && !utils.isNumber(data.toPid)) {
return callback(new Error('[[error:invalid-pid]]'));
}
var postData; var postData;
async.waterfall([ async.waterfall([

7
test/topics.js
View File

@@ -152,6 +152,13 @@ describe('Topic\'s', function () {
done(); done();
}); });
}); });
it('should fail to create new reply with invalid toPid', function (done) {
topics.reply({uid: topic.userId, content: 'test post', tid: newTopic.tid, toPid: '"onmouseover=alert(1);//'}, function (err) {
assert.equal(err.message, '[[error:invalid-pid]]');
done();
});
});
}); });
describe('Get methods', function () { describe('Get methods', function () {