Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2025-11-01 11:35:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

escape email in registration queue and invites

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2017-12-01 17:38:02 -05:00
parent 50e824f77a
commit e3fd402070
4 changed files with 28 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
test/user.js
View File

@@ -1405,7 +1405,7 @@ describe('User', function () {
username: 'rejectme',
password: '123456',
'password-confirm': '123456',
email: 'reject@me.com',
email: '<script>alert("ok");<script>reject@me.com',
}, function (err) {
assert.ifError(err);
helpers.loginUser('admin', '123456', function (err, jar) {
@@ -1413,7 +1413,7 @@ describe('User', function () {
request(nconf.get('url') + '/api/admin/manage/registration', { jar: jar, json: true }, function (err, res, body) {
assert.ifError(err);
assert.equal(body.users[0].username, 'rejectme');
assert.equal(body.users[0].email, 'reject@me.com');
assert.equal(body.users[0].email, '&lt;script&gt;alert(&quot;ok&quot;);&lt;script&gt;reject@me.com');
done();
});
});
@@ -1600,6 +1600,17 @@ describe('User', function () {
});
});
});
it('should escape email', function (done) {
socketUser.invite({ uid: inviterUid }, '<script>alert("ok");</script>', function (err) {
assert.ifError(err);
User.getInvites(inviterUid, function (err, data) {
assert.ifError(err);
assert.equal(data[0], '&lt;script&gt;alert(&quot;ok&quot;);&lt;&#x2F;script&gt;');
done();
});
});
});
});
describe('email confirm', function () {