Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-07-01 00:08:53 +02:00
Code Issues Packages Projects Releases Wiki Activity

closes #6004

Browse Source
This commit is contained in:
Barış Soner Uşaklı
2017-10-26 10:32:24 -04:00
parent a73c2628c4
commit a11058bce2
2 changed files with 32 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
src/middleware/admin.js
View File

@@ -5,6 +5,7 @@ var winston = require('winston');
var user = require('../user');
var meta = require('../meta');
var plugins = require('../plugins');
var jsesc = require('jsesc');
var controllers = {
api: require('../controllers/api'),
@@ -73,11 +74,11 @@ module.exports = function (middleware) {
var templateValues = {
config: results.config,
configJSON: JSON.stringify(results.config),
configJSON: jsesc(JSON.stringify(results.config), { isScriptContext: true }),
relative_path: results.config.relative_path,
adminConfigJSON: encodeURIComponent(JSON.stringify(results.configs)),
user: userData,
userJSON: JSON.stringify(userData).replace(/'/g, "\\'"),
userJSON: jsesc(JSON.stringify(userData), { isScriptContext: true }),
plugins: results.custom_header.plugins,
authentication: results.custom_header.authentication,
scripts: results.scripts,

29
test/controllers-admin.js
View File

@@ -578,4 +578,33 @@ describe('Admin Controllers', function () {
});
});
});
it('should escape special characters in config', function (done) {
var plugins = require('../src/plugins');
function onConfigGet(config, callback) {
config.someValue = '"foo"';
config.otherValue = "'123'";
config.script = '</script>';
callback(null, config);
}
plugins.registerHook('somePlugin', { hook: 'filter:config.get', method: onConfigGet });
request(nconf.get('url') + '/admin', { jar: jar }, function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 200);
assert(body);
assert(body.indexOf('"someValue":"\\\\"foo\\\\""') !== -1);
assert(body.indexOf('"otherValue":"\\\'123\\\'"') !== -1);
assert(body.indexOf('"script":"<\\/script>"') !== -1);
request(nconf.get('url'), { jar: jar }, function (err, res, body) {
assert.ifError(err);
assert.equal(res.statusCode, 200);
assert(body);
assert(body.indexOf('"someValue":"\\\\"foo\\\\""') !== -1);
assert(body.indexOf('"otherValue":"\\\'123\\\'"') !== -1);
assert(body.indexOf('"script":"<\\/script>"') !== -1);
plugins.unregisterHook('somePlugin', 'filter:config.get', onConfigGet);
done();
});
});
});
});