Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-26 08:36:12 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: do not blindly escape a notification's bodyLong

Browse Source 
For 7+ years we were escaping this value, but it is in many cases already sanitized (as it may be a post content). For those cases when it is not, I now run it through parse.raw.

Instead of escaping, it now strips p, img, and a tags.
This commit is contained in:
Julian Lam
2021-02-09 11:14:53 -05:00
parent 0092df2c02
commit 783786cf8c
4 changed files with 5 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/flags.js
View File

@@ -720,7 +720,7 @@ Flags.notify = async function (flagObj, uid) {
notifObj = await notifications.create({ notifObj = await notifications.create({
type: 'new-post-flag', type: 'new-post-flag',
bodyShort: `[[notifications:user_flagged_post_in, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${titleEscaped}]]`, bodyShort: `[[notifications:user_flagged_post_in, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${titleEscaped}]]`,
bodyLong: flagObj.description, bodyLong: await plugins.hooks.fire('filter:parse.raw', flagObj.description),
pid: flagObj.targetId, pid: flagObj.targetId,
path: `/flags/${flagObj.flagId}`, path: `/flags/${flagObj.flagId}`,
nid: `flag:post:${flagObj.targetId}`, nid: `flag:post:${flagObj.targetId}`,
@@ -733,7 +733,7 @@ Flags.notify = async function (flagObj, uid) {
notifObj = await notifications.create({ notifObj = await notifications.create({
type: 'new-user-flag', type: 'new-user-flag',
bodyShort: `[[notifications:user_flagged_user, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${flagObj.target.username}]]`, bodyShort: `[[notifications:user_flagged_user, ${flagObj.reports[flagObj.reports.length - 1].reporter.username}, ${flagObj.target.username}]]`,
bodyLong: flagObj.description, bodyLong: await plugins.hooks.fire('filter:parse.raw', flagObj.description),
path: `/flags/${flagObj.flagId}`, path: `/flags/${flagObj.flagId}`,
nid: `flag:user:${flagObj.targetId}`, nid: `flag:user:${flagObj.targetId}`,
from: uid, from: uid,

2
src/messaging/notifications.js
View File

@@ -62,7 +62,7 @@ module.exports = function (Messaging) {
type: isGroupChat ? 'new-group-chat' : 'new-chat', type: isGroupChat ? 'new-group-chat' : 'new-chat',
subject: `[[email:notif.chat.subject, ${messageObj.fromUser.username}]]`, subject: `[[email:notif.chat.subject, ${messageObj.fromUser.username}]]`,
bodyShort: `[[notifications:new_message_from, ${messageObj.fromUser.username}]]`, bodyShort: `[[notifications:new_message_from, ${messageObj.fromUser.username}]]`,
bodyLong: messageObj.content, bodyLong: await plugins.hooks.fire('filter:parse.raw', messageObj.content),
nid: `chat_${fromuid}_${roomId}`, nid: `chat_${fromuid}_${roomId}`,
from: fromuid, from: fromuid,
path: `/chats/${messageObj.roomId}`, path: `/chats/${messageObj.roomId}`,

2
src/notifications.js
View File

@@ -75,7 +75,7 @@ Notifications.getMultiple = async function (nids) {
notification.datetimeISO = utils.toISOString(notification.datetime); notification.datetimeISO = utils.toISOString(notification.datetime);
if (notification.bodyLong) { if (notification.bodyLong) {
notification.bodyLong = utils.escapeHTML(notification.bodyLong); notification.bodyLong = utils.stripHTMLTags(notification.bodyLong, ['img', 'p', 'a']);
} }
notification.user = usersData[index]; notification.user = usersData[index];

2
src/posts/queue.js
View File

@@ -95,7 +95,7 @@ module.exports = function (Posts) {
nid: `post-queue-${id}`, nid: `post-queue-${id}`,
mergeId: 'post-queue', mergeId: 'post-queue',
bodyShort: '[[notifications:post_awaiting_review]]', bodyShort: '[[notifications:post_awaiting_review]]',
bodyLong: data.content, bodyLong: await plugins.hooks.fire('filter:parse.raw', data.content),
path: '/post-queue', path: '/post-queue',
}); });
await notifications.push(notifObj, uids); await notifications.push(notifObj, uids);