Incremented version number

Merge commit '294171b07266706ac78850be8b85b3d27e332424' into v1.x.x
fixes potential XSS in usercard
2025-12-17 22:10:23 +01:00 · 2016-03-21 09:06:33 -04:00 · 2016-03-21 09:06:33 -04:00 · 2016-03-21 08:58:59 -04:00 · 2016-03-21 10:46:39 +02:00 · 2016-03-21 10:42:12 +02:00
11 changed files with 50 additions and 30 deletions
--- a/package.json
+++ b/package.json
@@ -2,7 +2,7 @@
  "name": "nodebb",
  "license": "GPL-3.0",
  "description": "NodeBB Forum",
-  "version": "1.0.1",
+  "version": "1.0.2",
  "homepage": "http://www.nodebb.org",
  "repository": {
    "type": "git",
@@ -44,16 +44,16 @@
    "mongodb": "~2.1.3",
    "morgan": "^1.3.2",
    "nconf": "~0.8.2",
-    "nodebb-plugin-composer-default": "3.0.10",
+    "nodebb-plugin-composer-default": "3.0.11",
    "nodebb-plugin-dbsearch": "1.0.0",
    "nodebb-plugin-emoji-extended": "1.0.3",
    "nodebb-plugin-markdown": "4.0.17",
-    "nodebb-plugin-mentions": "1.0.18",
+    "nodebb-plugin-mentions": "1.0.20",
    "nodebb-plugin-soundpack-default": "0.1.6",
    "nodebb-plugin-spam-be-gone": "0.4.5",
    "nodebb-rewards-essentials": "0.0.8",
    "nodebb-theme-lavender": "3.0.9",
-    "nodebb-theme-persona": "4.0.99",
+    "nodebb-theme-persona": "4.0.100",
    "nodebb-theme-vanilla": "5.0.56",
    "nodebb-widget-essentials": "2.0.8",
    "nodemailer": "2.0.0",
--- a/public/src/admin/manage/group.js
+++ b/public/src/admin/manage/group.js
@@ -98,7 +98,7 @@ define('admin/manage/group', [

 				templates.parse('partials/groups/memberlist', 'members', {group: {isOwner: ajaxify.data.group.isOwner, members: [member]}}, function(html) {
 					translator.translate(html, function(html) {
-						$('[component="groups/members"] tr').first().before(html);
+						$('[component="groups/members"] tbody').prepend(html);
 					});
 				});
 			});
--- a/public/src/client/topic/posts.js
+++ b/public/src/client/topic/posts.js
@@ -26,19 +26,17 @@ define('forum/topic/posts', [
 			post.selfPost = !!app.user.uid && parseInt(post.uid, 10) === parseInt(app.user.uid, 10);
 			post.display_moderator_tools = post.selfPost || ajaxify.data.privileges.isAdminOrMod;
 			post.display_move_tools = ajaxify.data.privileges.isAdminOrMod;
-			post.display_post_menu = post.selfPost || ajaxify.data.privileges.isAdminOrMod;
+			post.display_post_menu = post.selfPost || ajaxify.data.privileges.isAdminOrMod || !post.deleted;
 		});

 		updatePostCounts(data.posts);
 		ajaxify.data.postcount ++;
 		postTools.updatePostCount(ajaxify.data.postcount);

-		if (ajaxify.data.scrollToMyPost) {
-			if (config.usePagination) {
-				onNewPostPagination(data);
-			} else {
-				onNewPostInfiniteScroll(data);
-			}
+		if (config.usePagination) {
+			onNewPostPagination(data);
+		} else {
+			onNewPostInfiniteScroll(data);
 		}
 	};

@@ -64,7 +62,7 @@ define('forum/topic/posts', [

 		if (isPostVisible) {
 			createNewPosts(data, components.get('post').not('[data-index=0]'), direction, scrollToPost);
-		} else if (parseInt(posts[0].uid, 10) === parseInt(app.user.uid, 10)) {
+		} else if (config.scrollToMyPost && parseInt(posts[0].uid, 10) === parseInt(app.user.uid, 10)) {
 			pagination.loadPage(ajaxify.data.pagination.pageCount, scrollToPost);
 		}
 	}
@@ -81,6 +79,9 @@ define('forum/topic/posts', [
 	}

 	function scrollToPostIfSelf(post) {
+		if (!config.scrollToMyPost) {
+		    return;
+		}
 		var isSelfPost = parseInt(post.uid, 10) === parseInt(app.user.uid, 10);
 		if (isSelfPost) {
 			navigator.scrollBottom(post.index);
--- a/src/controllers/accounts/helpers.js
+++ b/src/controllers/accounts/helpers.js
@@ -64,12 +64,14 @@ helpers.getUserDataByUserSlug = function(userslug, callerUID, callback) {
 			userData.lastonlineISO = utils.toISOString(userData.lastonline || userData.joindate);
 			userData.age = Math.max(0, userData.birthday ? Math.floor((new Date().getTime() - new Date(userData.birthday).getTime()) / 31536000000) : 0);

+			userData.emailClass = 'hide';
+
 			if (!(isAdmin || isGlobalModerator || self || (userData.email && userSettings.showemail))) {
 				userData.email = '';
+			} else if (!userSettings.showemail) {
+				userData.emailClass = '';
 			}

-			userData.emailClass = (self && !userSettings.showemail) ? '' : 'hide';
-
 			if (!isAdmin && !isGlobalModerator && !self && !userSettings.showfullname) {
 				userData.fullname = '';
 			}
--- a/src/controllers/helpers.js
+++ b/src/controllers/helpers.js
@@ -41,7 +41,7 @@ helpers.redirect = function(res, url) {
 	if (res.locals.isAPI) {
 		res.status(308).json(url);
 	} else {
-		res.redirect(nconf.get('relative_path') + url);
+		res.redirect(nconf.get('relative_path') + encodeURI(url));
 	}
 };

--- a/src/middleware/render.js
+++ b/src/middleware/render.js
@@ -13,7 +13,7 @@ module.exports = function(middleware) {
 				req = this.req,
 				defaultFn = function(err, str){
 					if (err) {
-						return req.next(err);
+						return next(err);
 					}

 					self.send(str);
--- a/src/notifications.js
+++ b/src/notifications.js
@@ -450,10 +450,13 @@ var async = require('async'),
 						});
 						var numUsers = usernames.length;

+						var title = S(notifications[modifyIndex].topicTitle).decodeHTMLEntities().s;
+						var titleEscaped = title.replace(/%/g, '&#37;').replace(/,/g, '&#44;');
+
 						if (numUsers === 2) {
-							notifications[modifyIndex].bodyShort = '[[' + mergeId + '_dual, ' + usernames.join(', ') + ', ' + notifications[modifyIndex].topicTitle + ']]';
+							notifications[modifyIndex].bodyShort = '[[' + mergeId + '_dual, ' + usernames.join(', ') + ', ' + titleEscaped + ']]';
 						} else if (numUsers > 2) {
-							notifications[modifyIndex].bodyShort = '[[' + mergeId + '_multiple, ' + usernames[0] + ', ' + (numUsers-1) + ', ' + notifications[modifyIndex].topicTitle + ']]';
+							notifications[modifyIndex].bodyShort = '[[' + mergeId + '_multiple, ' + usernames[0] + ', ' + (numUsers-1) + ', ' + titleEscaped + ']]';
 						}
 						break;

--- a/src/posts/user.js
+++ b/src/posts/user.js
@@ -1,6 +1,7 @@
 'use strict';

 var async = require('async'),
+	validator = require('validator'),

 	db = require('../database'),
 	user = require('../user'),
@@ -69,6 +70,8 @@ module.exports = function(Posts) {
 				userData.picture = userData.picture || '';
 				userData.status = user.getStatus(userData);
 				userData.groupTitle = results.groupTitles[i].groupTitle;
+				userData.signature = validator.escape(userData.signature || '');
+				userData.fullname = validator.escape(userData.fullname || '');
 			});

 			async.map(userData, function(userData, next) {
--- a/src/socket.io/helpers.js
+++ b/src/socket.io/helpers.js
@@ -2,6 +2,7 @@

 var async = require('async');
 var winston = require('winston');
+var S = require('string');
 var nconf = require('nconf');

 var websockets = require('./index');
@@ -62,8 +63,11 @@ SocketHelpers.sendNotificationToPostOwner = function(pid, fromuid, notification)
 				return;
 			}

+			var title = S(results.topicTitle).decodeHTMLEntities().s;
+			var titleEscaped = title.replace(/%/g, '&#37;').replace(/,/g, '&#44;');
+
 			notifications.create({
-				bodyShort: '[[' + notification + ', ' + results.username + ', ' + results.topicTitle + ']]',
+				bodyShort: '[[' + notification + ', ' + results.username + ', ' + titleEscaped + ']]',
 				bodyLong: results.postObj.content,
 				pid: pid,
 				nid: 'post:' + pid + ':uid:' + fromuid,
@@ -93,8 +97,11 @@ SocketHelpers.sendNotificationToTopicOwner = function(tid, fromuid, notification
 			return;
 		}

+		var title = S(results.topicData.title).decodeHTMLEntities().s;
+		var titleEscaped = title.replace(/%/g, '&#37;').replace(/,/g, '&#44;');
+
 		notifications.create({
-			bodyShort: '[[' + notification + ', ' + results.username + ', ' + results.topicData.title + ']]',
+			bodyShort: '[[' + notification + ', ' + results.username + ', ' + titleEscaped + ']]',
 			path: nconf.get('relative_path') + '/topic/' + results.topicData.slug,
 			nid: 'tid:' + tid + ':uid:' + fromuid,
 			from: fromuid
--- a/src/socket.io/posts/flag.js
+++ b/src/socket.io/posts/flag.js
@@ -1,6 +1,7 @@
 'use strict';

 var async = require('async');
+var S = require('string');

 var user = require('../../user');
 var groups = require('../../groups');
@@ -82,8 +83,11 @@ module.exports = function(SocketPosts) {
 				}, next);
 			},
 			function (results, next) {
+				var title = S(post.topic.title).decodeHTMLEntities().s;
+				var titleEscaped = title.replace(/%/g, '&#37;').replace(/,/g, '&#44;');
+
 				notifications.create({
-					bodyShort: '[[notifications:user_flagged_post_in, ' + flaggingUser.username + ', ' + post.topic.title + ']]',
+					bodyShort: '[[notifications:user_flagged_post_in, ' + flaggingUser.username + ', ' + titleEscaped + ']]',
 					bodyLong: post.content,
 					pid: data.pid,
 					nid: 'post_flag:' + data.pid + ':uid:' + socket.uid,
--- a/src/views/admin/manage/group.tpl
+++ b/src/views/admin/manage/group.tpl
@@ -63,7 +63,7 @@
 				<fieldset>
 					<div class="checkbox">
 						<label>
-							<input id="group-hidden" name="hidden" type="checkbox"<!-- IF group.hidden --> checked<!-- ENDIF group.hidden -->> <strong>[Hidden</strong>
+							<input id="group-hidden" name="hidden" type="checkbox"<!-- IF group.hidden --> checked<!-- ENDIF group.hidden -->> <strong>Hidden</strong>
 							<p class="help-block">
 								If enabled, this group will not be found in the groups listing, and users will have to be invited manually
 							</p>
Author	SHA1	Message	Date
NodeBB Misty	b81e395a26	Incremented version number	2016-03-21 09:06:33 -04:00
NodeBB Misty	c12963593d	Merge commit '294171b07266706ac78850be8b85b3d27e332424' into v1.x.x	2016-03-21 09:06:33 -04:00
psychobunny	294171b072	fixes potential XSS in usercard	2016-03-21 08:58:59 -04:00
barisusakli	cccc64ef90	up persona	2016-03-21 10:46:39 +02:00
Barış Soner Uşaklı	e9648daf7f	Merge pull request #4421 from pichalite/issue-4386 fixes #4386	2016-03-21 10:42:12 +02:00
Barış Soner Uşaklı	fd80259768	Merge pull request #4419 from BenLubar/topic-title-truncated fix notifications that contain topic titles with commas in them	2016-03-21 10:40:29 +02:00
Barış Soner Uşaklı	fe7d4999c9	Merge pull request #4418 from BenLubar/post-tools-stream fix post tools not showing up for other users on new posts	2016-03-21 10:27:17 +02:00
Barış Soner Uşaklı	4d92ddf634	Merge pull request #4416 from BenLubar/email-hidden-symbol-for-staff show the crossed-out eye icon for private email addresses	2016-03-21 10:24:48 +02:00
barisusakli	4eb7468dcd	already checked in scrollToPostIfSelf	2016-03-21 10:16:10 +02:00
Barış Soner Uşaklı	86180e29e6	Merge pull request #4415 from boomzillawtf/master Loads posts if appropriate, but doesn't scroll to new post according …	2016-03-21 10:11:50 +02:00
barisusakli	e5188ee05b	up mentions	2016-03-21 09:43:27 +02:00
Barış Soner Uşaklı	43ddf008ac	Merge pull request #4417 from BenLubar/crashes-2016-03-19 fix two crashes	2016-03-21 09:22:48 +02:00
pichalite	9c9e49e2f6	properly fix with styling	2016-03-20 22:20:55 +00:00
pichalite	497592965f	fixes issue-4386	2016-03-20 22:09:10 +00:00
Ben Lubar	44431f8410	fix notifications that contain topic titles with commas in them	2016-03-20 16:28:21 -05:00
Ben Lubar	bb88c82ffd	fix post tools not showing up for other users on new posts (src/topics/posts.js has this condition already)	2016-03-20 15:59:38 -05:00
Ben Lubar	3c607f2612	fix two crashes	2016-03-20 15:11:32 -05:00
Ben Lubar	d654978508	show the crossed-out eye icon for users who want their email private for staff, not just the user	2016-03-20 15:07:11 -05:00
boomzillawtf	3d0012d730	Loads posts if appropriate, but doesn't scroll to new post according to the scroll to my post setting. Addresses #4412 .	2016-03-20 14:48:55 -04:00
barisusakli	e556ae93ea	up mentions	2016-03-19 10:47:05 +02:00
barisusakli	b9b8f2320f	up composer	2016-03-19 10:36:39 +02:00
NodeBB Misty	c9f285a883	bumped up version Conflicts: package.json	2016-03-18 13:47:49 -04:00