From c5f58f73a7c2494ca935f9e2bfe449a10f2463ac Mon Sep 17 00:00:00 2001 From: Baris Usakli Date: Thu, 12 Oct 2017 17:05:15 -0400 Subject: [PATCH 1/3] closes #5974 --- src/messaging.js | 32 ++++++++++++++++++-------------- 1 file changed, 18 insertions(+), 14 deletions(-) diff --git a/src/messaging.js b/src/messaging.js index 9cb54d0fb3..9a53f327ce 100644 --- a/src/messaging.js +++ b/src/messaging.js @@ -153,24 +153,28 @@ Messaging.getRecentChats = function (callerUid, uid, start, stop, callback) { }, function (results, next) { results.roomData.forEach(function (room, index) { - room.users = results.users[index]; - room.groupChat = room.hasOwnProperty('groupChat') ? room.groupChat : room.users.length > 2; - room.unread = results.unread[index]; - room.teaser = results.teasers[index]; + if (room) { + room.users = results.users[index]; + room.groupChat = room.hasOwnProperty('groupChat') ? room.groupChat : room.users.length > 2; + room.unread = results.unread[index]; + room.teaser = results.teasers[index]; - room.users.forEach(function (userData) { - if (userData && parseInt(userData.uid, 10)) { - userData.status = user.getStatus(userData); - } - }); - room.users = room.users.filter(function (user) { - return user && parseInt(user.uid, 10); - }); - room.lastUser = room.users[0]; + room.users.forEach(function (userData) { + if (userData && parseInt(userData.uid, 10)) { + userData.status = user.getStatus(userData); + } + }); + room.users = room.users.filter(function (user) { + return user && parseInt(user.uid, 10); + }); + room.lastUser = room.users[0]; - room.usernames = Messaging.generateUsernames(room.users, uid); + room.usernames = Messaging.generateUsernames(room.users, uid); + } }); + results.roomData = results.roomData.filter(Boolean); + next(null, { rooms: results.roomData, nextStart: stop + 1 }); }, function (ref, next) { From 91014002642dca9ded8339f1e78c3d59cc6accb8 Mon Sep 17 00:00:00 2001 From: Baris Usakli Date: Thu, 12 Oct 2017 17:57:25 -0400 Subject: [PATCH 2/3] closes #5961 --- src/plugins/hooks.js | 7 ------- 1 file changed, 7 deletions(-) diff --git a/src/plugins/hooks.js b/src/plugins/hooks.js index 63e3cfaec1..71b91beeef 100644 --- a/src/plugins/hooks.js +++ b/src/plugins/hooks.js @@ -40,13 +40,6 @@ module.exports = function (Plugins) { 'please use `' + Plugins.deprecatedHooks[data.hook] + '` instead.' : 'there is no alternative.' )); - } else { - // handle hook's startsWith, i.e. action:homepage.get - var parts = data.hook.split(':'); - if (parts.length > 2) { - parts.pop(); - } - parts.join(':'); } if (data.hook && data.method) { From b44cfacda1800ff193987fabd1a64a22fd7a981d Mon Sep 17 00:00:00 2001 From: Julian Lam Date: Fri, 13 Oct 2017 11:54:05 -0400 Subject: [PATCH 3/3] resolve XSS vulnerability in flags pages --- src/flags.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/flags.js b/src/flags.js index 10635ee435..749878db33 100644 --- a/src/flags.js +++ b/src/flags.js @@ -4,6 +4,7 @@ var async = require('async'); var _ = require('lodash'); var S = require('string'); var winston = require('winston'); +var validator = require('validator'); var db = require('./database'); var user = require('./user'); @@ -92,6 +93,7 @@ Flags.get = function (flagId, callback) { }, function (err, payload) { // Final object return construction next(err, Object.assign(data.base, { + description: validator.escape(data.base.description), datetimeISO: new Date(parseInt(data.base.datetime, 10)).toISOString(), target_readable: data.base.type.charAt(0).toUpperCase() + data.base.type.slice(1) + ' ' + data.base.targetId, target: payload.targetObj, @@ -200,6 +202,7 @@ Flags.list = function (filters, uid, callback) { } next(null, Object.assign(flagObj, { + description: validator.escape(flagObj.description), target_readable: flagObj.type.charAt(0).toUpperCase() + flagObj.type.slice(1) + ' ' + flagObj.targetId, datetimeISO: new Date(parseInt(flagObj.datetime, 10)).toISOString(), }));