fix: escape bootswatchSkin and homepageRoute

2025-10-26 08:36:12 +01:00 · 2020-01-17 11:48:00 -05:00
parent 3e52557689
commit b0f3e48ac2
1 changed files with 4 additions and 1 deletions
--- a/src/user/settings.js
+++ b/src/user/settings.js
@@ -1,6 +1,8 @@

 'use strict';

+const validator = require('validator');
+
 const meta = require('../meta');
 const db = require('../database');
 const plugins = require('../plugins');
@@ -56,7 +58,8 @@ module.exports = function (User) {
 		settings.upvoteNotifFreq = getSetting(settings, 'upvoteNotifFreq', 'all');
 		settings.restrictChat = parseInt(getSetting(settings, 'restrictChat', 0), 10) === 1;
 		settings.topicSearchEnabled = parseInt(getSetting(settings, 'topicSearchEnabled', 0), 10) === 1;
-		settings.bootswatchSkin = settings.bootswatchSkin || '';
+		settings.bootswatchSkin = validator.escape(String(settings.bootswatchSkin || ''));
+		settings.homePageRoute = validator.escape(String(settings.homePageRoute || ''));
 		settings.scrollToMyPost = parseInt(getSetting(settings, 'scrollToMyPost', 1), 10) === 1;
 		settings.categoryWatchState = getSetting(settings, 'categoryWatchState', 'notwatching');