From b02eb57d067105c4aedae09cf1eea5413db566e5 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <barisusakli@gmail.com>
Date: Mon, 9 Jun 2025 10:23:00 -0400
Subject: [PATCH] fix: escape, query params

---
 src/controllers/admin/events.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/controllers/admin/events.js b/src/controllers/admin/events.js
index 9f3321276a..72d9b4c3e1 100644
--- a/src/controllers/admin/events.js
+++ b/src/controllers/admin/events.js
@@ -1,5 +1,6 @@
 'use strict';
 
+const validator = require('validator');
 const db = require('../../database');
 const events = require('../../events');
 const pagination = require('../../pagination');
@@ -58,6 +59,12 @@ eventsController.get = async function (req, res) {
 		events: eventData,
 		pagination: pagination.create(page, pageCount, req.query),
 		types: types,
-		query: req.query,
+		query: {
+			start: validator.escape(String(req.query.start)),
+			end: validator.escape(String(req.query.end)),
+			username: validator.escape(String(req.query.username)),
+			group: validator.escape(String(req.query.group)),
+			perPage: validator.escape(String(req.query.perPage)),
+		},
 	});
 };