mirror of
https://github.com/NodeBB/NodeBB.git
synced 2025-11-02 20:16:04 +01:00
escape labelColor, icon, cover:position, validate toPid
This commit is contained in:
Barış Soner Uşaklı
@@ -7,13 +7,17 @@ define('iconSelect', function () {
|
||||
|
||||
iconSelect.init = function (el, onModified) {
|
||||
onModified = onModified || function () {};
|
||||
var doubleSize = el.hasClass('fa-2x'),
|
||||
selected = el.attr('class').replace('fa-2x', '').replace('fa', '').replace(/\s+/g, '');
|
||||
var doubleSize = el.hasClass('fa-2x');
|
||||
var selected = el.attr('class').replace('fa-2x', '').replace('fa', '').replace(/\s+/g, '');
|
||||
|
||||
$('#icons .selected').removeClass('selected');
|
||||
|
||||
if (selected) {
|
||||
$('#icons .fa-icons .fa.' + selected).addClass('selected');
|
||||
try {
|
||||
$('#icons .fa-icons .fa.' + selected).addClass('selected');
|
||||
} catch (err) {
|
||||
selected = '';
|
||||
}
|
||||
}
|
||||
|
||||
templates.parse('partials/fontawesome', {}, function (html) {
|
||||
|
||||
@@ -139,7 +139,7 @@ helpers.getUserDataByUserSlug = function (userslug, callerUID, callback) {
|
||||
userData.moderationNote = validator.escape(String(userData.moderationNote || ''));
|
||||
|
||||
userData['cover:url'] = userData['cover:url'] || require('../../coverPhoto').getDefaultProfileCover(userData.uid);
|
||||
userData['cover:position'] = userData['cover:position'] || '50% 50%';
|
||||
userData['cover:position'] = validator.escape(String(userData['cover:position'] || '50% 50%'));
|
||||
userData['username:disableEdit'] = !userData.isAdmin && parseInt(meta.config['username:disableEdit'], 10) === 1;
|
||||
userData['email:disableEdit'] = !userData.isAdmin && parseInt(meta.config['email:disableEdit'], 10) === 1;
|
||||
|
||||
|
||||
@@ -157,7 +157,9 @@ var utils = require('../public/src/utils');
|
||||
}
|
||||
|
||||
results.base['cover:url'] = results.base['cover:url'] || require('./coverPhoto').getDefaultGroupCover(groupName);
|
||||
results.base['cover:position'] = results.base['cover:position'] || '50% 50%';
|
||||
results.base['cover:position'] = validator.escape(String(results.base['cover:position'] || '50% 50%'));
|
||||
results.base.labelColor = validator.escape(String(results.base.labelColor || '#000000'));
|
||||
results.base.icon = validator.escape(String(results.base.icon || ''));
|
||||
|
||||
plugins.fireHook('filter:parse.raw', results.base.description, function (err, descriptionParsed) {
|
||||
if (err) {
|
||||
@@ -400,7 +402,8 @@ var utils = require('../public/src/utils');
|
||||
if (group) {
|
||||
Groups.escapeGroupData(group);
|
||||
group.userTitleEnabled = group.userTitleEnabled ? parseInt(group.userTitleEnabled, 10) === 1 : true;
|
||||
group.labelColor = group.labelColor || '#000000';
|
||||
group.labelColor = validator.escape(String(group.labelColor || '#000000'));
|
||||
group.icon = validator.escape(String(group.icon || ''));
|
||||
group.createtimeISO = utils.toISOString(group.createtime);
|
||||
group.hidden = parseInt(group.hidden, 10) === 1;
|
||||
group.system = parseInt(group.system, 10) === 1;
|
||||
@@ -409,7 +412,7 @@ var utils = require('../public/src/utils');
|
||||
|
||||
group['cover:url'] = group['cover:url'] || require('./coverPhoto').getDefaultGroupCover(group.name);
|
||||
group['cover:thumb:url'] = group['cover:thumb:url'] || group['cover:url'];
|
||||
group['cover:position'] = group['cover:position'] || '50% 50%';
|
||||
group['cover:position'] = validator.escape(String(group['cover:position'] || '50% 50%'));
|
||||
}
|
||||
});
|
||||
|
||||
|
||||
@@ -9,7 +9,7 @@ var plugins = require('../plugins');
|
||||
var user = require('../user');
|
||||
var topics = require('../topics');
|
||||
var categories = require('../categories');
|
||||
|
||||
var utils = require('../../public/src/utils');
|
||||
|
||||
module.exports = function (Posts) {
|
||||
|
||||
@@ -24,6 +24,10 @@ module.exports = function (Posts) {
|
||||
return callback(new Error('[[error:invalid-uid]]'));
|
||||
}
|
||||
|
||||
if (data.toPid && !utils.isNumber(data.toPid)) {
|
||||
return callback(new Error('[[error:invalid-pid]]'));
|
||||
}
|
||||
|
||||
var postData;
|
||||
|
||||
async.waterfall([
|
||||
|
||||
@@ -152,6 +152,13 @@ describe('Topic\'s', function () {
|
||||
done();
|
||||
});
|
||||
});
|
||||
|
||||
it('should fail to create new reply with invalid toPid', function (done) {
|
||||
topics.reply({uid: topic.userId, content: 'test post', tid: newTopic.tid, toPid: '"onmouseover=alert(1);//'}, function (err) {
|
||||
assert.equal(err.message, '[[error:invalid-pid]]');
|
||||
done();
|
||||
});
|
||||
});
|
||||
});
|
||||
|
||||
describe('Get methods', function () {
|
||||
|
||||
Reference in New Issue
Block a user