Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-10-27 17:16:14 +01:00
Code Issues Packages Projects Releases Wiki Activity

fix: encode most uses of pid to avoid more bugs like #12545

Browse Source
This commit is contained in:
Opliko
2024-05-09 11:25:05 +02:00
parent 43dfb60f91
commit c973a9caba
7 changed files with 14 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
public/src/client/topic.js
View File

@@ -302,7 +302,7 @@ define('forum/topic', [
destroyed = false; destroyed = false;
async function renderPost(pid) { async function renderPost(pid) {
const postData = postCache[pid] || await api.get(`/posts/${pid}/summary`); const postData = postCache[pid] || await api.get(`/posts/${encodeURIComponent(pid)}/summary`);
$('#post-tooltip').remove(); $('#post-tooltip').remove();
if (postData && ajaxify.data.template.topic) { if (postData && ajaxify.data.template.topic) {
postCache[pid] = postData; postCache[pid] = postData;
@@ -329,11 +329,11 @@ define('forum/topic', [
const pathname = location.pathname; const pathname = location.pathname;
const validHref = href && href !== '#' && window.location.hostname === location.hostname; const validHref = href && href !== '#' && window.location.hostname === location.hostname;
$('#post-tooltip').remove(); $('#post-tooltip').remove();
const postMatch = validHref && pathname && pathname.match(/\/post\/([\d]+)/); const postMatch = validHref && pathname && pathname.match(/\/post\/([\d]+|(?:[\w_.~!$&'()*+,;=:@-]|%[\dA-F]{2})+)/);
const topicMatch = validHref && pathname && pathname.match(/\/topic\/([\d]+)/); const topicMatch = validHref && pathname && pathname.match(/\/topic\/([\da-z-]+)/);
if (postMatch) { if (postMatch) {
const pid = postMatch[1]; const pid = postMatch[1];
if (parseInt(link.parents('[component="post"]').attr('data-pid'), 10) === parseInt(pid, 10)) { if (link.parents('[component="post"]').attr('data-pid') === pid) {
return; // dont render self post return; // dont render self post
} }

4
public/src/client/topic/delete-posts.js
View File

@@ -35,10 +35,10 @@ define('forum/topic/delete-posts', [
showPostsSelected(); showPostsSelected();
deleteBtn.on('click', function () { deleteBtn.on('click', function () {
deletePosts(deleteBtn, pid => `/posts/${pid}/state`); deletePosts(deleteBtn, pid => `/posts/${encodeURIComponent(pid)}/state`);
}); });
purgeBtn.on('click', function () { purgeBtn.on('click', function () {
deletePosts(purgeBtn, pid => `/posts/${pid}`); deletePosts(purgeBtn, pid => `/posts/${encodeURIComponent(pid)}`);
}); });
}); });
}; };

8
public/src/client/topic/diffs.js
View File

@@ -9,7 +9,7 @@ define('forum/topic/diffs', ['api', 'bootbox', 'alerts', 'forum/topic/images'],
return; return;
} }
api.get(`/posts/${pid}/diffs`, {}).then((data) => { api.get(`/posts/${encodeURIComponent(pid)}/diffs`, {}).then((data) => {
parsePostHistory(data).then(($html) => { parsePostHistory(data).then(($html) => {
const $modal = bootbox.dialog({ const $modal = bootbox.dialog({
title: '[[topic:diffs.title]]', title: '[[topic:diffs.title]]',
@@ -57,7 +57,7 @@ define('forum/topic/diffs', ['api', 'bootbox', 'alerts', 'forum/topic/images'],
return; return;
} }
api.get(`/posts/${pid}/diffs/${since}`, {}).then((data) => { api.get(`/posts/${encodeURIComponent(pid)}/diffs/${since}`, {}).then((data) => {
data.deleted = !!parseInt(data.deleted, 10); data.deleted = !!parseInt(data.deleted, 10);
app.parseAndTranslate('partials/posts_list', 'posts', { app.parseAndTranslate('partials/posts_list', 'posts', {
@@ -74,14 +74,14 @@ define('forum/topic/diffs', ['api', 'bootbox', 'alerts', 'forum/topic/images'],
return; return;
} }
api.put(`/posts/${pid}/diffs/${since}`, {}).then(() => { api.put(`/posts/${encodeURIComponent(pid)}/diffs/${since}`, {}).then(() => {
$modal.modal('hide'); $modal.modal('hide');
alerts.success('[[topic:diffs.post-restored]]'); alerts.success('[[topic:diffs.post-restored]]');
}).catch(alerts.error); }).catch(alerts.error);
}; };
Diffs.delete = function (pid, timestamp, $selectEl, $numberOfDiffCon) { Diffs.delete = function (pid, timestamp, $selectEl, $numberOfDiffCon) {
api.del(`/posts/${pid}/diffs/${timestamp}`).then((data) => { api.del(`/posts/${encodeURIComponent(pid)}/diffs/${timestamp}`).then((data) => {
parsePostHistory(data, 'diffs').then(($html) => { parsePostHistory(data, 'diffs').then(($html) => {
$selectEl.empty().append($html); $selectEl.empty().append($html);
$selectEl.trigger('change'); $selectEl.trigger('change');

2
public/src/client/topic/move-post.js
View File

@@ -141,7 +141,7 @@ define('forum/topic/move-post', [
return; return;
} }
Promise.all(data.pids.map(pid => api.put(`/posts/${pid}/move`, { Promise.all(data.pids.map(pid => api.put(`/posts/${encodeURIComponent(pid)}/move`, {
tid: data.tid, tid: data.tid,
}))).then(() => { }))).then(() => {
data.pids.forEach(function (pid) { data.pids.forEach(function (pid) {

2
public/src/client/topic/postTools.js
View File

@@ -360,7 +360,7 @@ define('forum/topic/postTools', [
function bookmarkPost(button, pid) { function bookmarkPost(button, pid) {
const method = button.attr('data-bookmarked') === 'false' ? 'put' : 'del'; const method = button.attr('data-bookmarked') === 'false' ? 'put' : 'del';
api[method](`/posts/${pid}/bookmark`, undefined, function (err) { api[method](`/posts/${encodeURIComponent(pid)}/bookmark`, undefined, function (err) {
if (err) { if (err) {
return alerts.error(err); return alerts.error(err);
} }

2
public/src/modules/topicThumbs.js
View File

@@ -7,7 +7,7 @@ define('topicThumbs', [
Thumbs.get = id => api.get(`/topics/${id}/thumbs`, {}); Thumbs.get = id => api.get(`/topics/${id}/thumbs`, {});
Thumbs.getByPid = pid => api.get(`/posts/${pid}`, {}).then(post => Thumbs.get(post.tid)); Thumbs.getByPid = pid => api.get(`/posts/${encodeURIComponent(pid)}`, {}).then(post => Thumbs.get(post.tid));
Thumbs.delete = (id, path) => api.del(`/topics/${id}/thumbs`, { Thumbs.delete = (id, path) => api.del(`/topics/${id}/thumbs`, {
path: path, path: path,

2
src/topics/posts.js
View File

@@ -443,7 +443,7 @@ module.exports = function (Topics) {
await Topics.events.log(tid, { await Topics.events.log(tid, {
uid, uid,
type: 'backlink', type: 'backlink',
href: `/post/${pid}`, href: `/post/${encodeURIComponent(pid)}`,
}); });
})); }));