reverted change where post title was sanitized on saving (which didn't

seem to work), now sanitizing post title on output
2025-11-02 12:05:57 +01:00 · 2013-10-01 11:54:00 -04:00
parent 3d4802ac68
commit 9613ea9018
4 changed files with 16 additions and 14 deletions
--- a/src/postTools.js
+++ b/src/postTools.js
@@ -5,6 +5,7 @@ var RDB = require('./redis.js'),
 	user = require('./user.js'),
 	async = require('async'),
 	nconf = require('nconf'),
+	validator = require('validator'),

 	utils = require('../public/src/utils'),
 	plugins = require('./plugins'),
@@ -92,10 +93,9 @@ var RDB = require('./redis.js'),
 			], function(err, results) {
 				io.sockets.in('topic_' + results[0].tid).emit('event:post_edited', {
 					pid: pid,
-					title: title,
+					title: validator.sanitize(title).escape(),
 					isMainPost: results[0].isMainPost,
 					content: results[1]
-
 				});
 			});
 		};
--- a/src/posts.js
+++ b/src/posts.js
@@ -264,9 +264,9 @@ var RDB = require('./redis.js'),
 						var socketData = {
 							posts: [postData]
 						};
-						io.sockets. in ('topic_' + tid).emit('event:new_post', socketData);
-						io.sockets. in ('recent_posts').emit('event:new_post', socketData);
-						io.sockets. in ('user/' + uid).emit('event:new_post', socketData);
+						io.sockets.in('topic_' + tid).emit('event:new_post', socketData);
+						io.sockets.in('recent_posts').emit('event:new_post', socketData);
+						io.sockets.in('user/' + uid).emit('event:new_post', socketData);
 					});

 					callback(null, 'Reply successful');
--- a/src/topics.js
+++ b/src/topics.js
@@ -15,15 +15,17 @@ schema = require('./schema.js'),
 	topicSearch = reds.createSearch('nodebbtopicsearch'),
 	validator = require('validator');

-
 (function(Topics) {

 	Topics.getTopicData = function(tid, callback) {
 		RDB.hgetall('topic:' + tid, function(err, data) {
-			if (err === null)
+			if (err === null) {
+				data.title = validator.sanitize(data.title).escape();
+
 				callback(data);
-			else
+			} else {
 				console.log(err);
+			}
 		});
 	}

@@ -658,7 +660,6 @@ schema = require('./schema.js'),

 				var slug = tid + '/' + utils.slugify(title);
 				var timestamp = Date.now();
-				title = validator.sanitize(title).escape();
 				RDB.hmset('topic:' + tid, {
 					'tid': tid,
 					'uid': uid,
@@ -698,9 +699,9 @@ schema = require('./schema.js'),

 						// Notify any users looking at the category that a new topic has arrived
 						Topics.getTopicForCategoryView(tid, uid, function(topicData) {
-							io.sockets. in ('category_' + category_id).emit('event:new_topic', topicData);
-							io.sockets. in ('recent_posts').emit('event:new_topic', topicData);
-							io.sockets. in ('user/' + uid).emit('event:new_post', {
+							io.sockets.in('category_' + category_id).emit('event:new_topic', topicData);
+							io.sockets.in('recent_posts').emit('event:new_topic', topicData);
+							io.sockets.in('user/' + uid).emit('event:new_post', {
 								posts: postData
 							});
 						});
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -309,7 +309,8 @@ var express = require('express'),
 				},
 				function (topicData, next) {
 					var lastMod = 0,
-						timestamp;
+						timestamp,
+						sanitize = validator.sanitize;

 					for (var x = 0, numPosts = topicData.posts.length; x < numPosts; x++) {
 						timestamp = parseInt(topicData.posts[x].timestamp, 10);
@@ -324,7 +325,7 @@ var express = require('express'),
 							content: topicData.topic_name
 						}, {
 							name: "description",
-							content: validator.sanitize(topicData.main_posts[0].content.substr(0, 255)).escape().replace('\n', '')
+							content: sanitize(topicData.main_posts[0].content.substr(0, 255)).escape().replace('\n', '')
 						}, {
 							property: 'og:title',
 							content: topicData.topic_name + ' | ' + (meta.config.title || 'NodeBB')