From a11058bce298ddec9409b7650463e74a6f88dc0b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Thu, 26 Oct 2017 10:32:24 -0400
Subject: [PATCH] closes #6004

---
 src/middleware/admin.js   |  5 +++--
 test/controllers-admin.js | 29 +++++++++++++++++++++++++++++
 2 files changed, 32 insertions(+), 2 deletions(-)

diff --git a/src/middleware/admin.js b/src/middleware/admin.js
index d320e9c850..2d0968d50f 100644
--- a/src/middleware/admin.js
+++ b/src/middleware/admin.js
@@ -5,6 +5,7 @@ var winston = require('winston');
 var user = require('../user');
 var meta = require('../meta');
 var plugins = require('../plugins');
+var jsesc = require('jsesc');
 
 var controllers = {
 	api: require('../controllers/api'),
@@ -73,11 +74,11 @@ module.exports = function (middleware) {
 
 				var templateValues = {
 					config: results.config,
-					configJSON: JSON.stringify(results.config),
+					configJSON: jsesc(JSON.stringify(results.config), { isScriptContext: true }),
 					relative_path: results.config.relative_path,
 					adminConfigJSON: encodeURIComponent(JSON.stringify(results.configs)),
 					user: userData,
-					userJSON: JSON.stringify(userData).replace(/'/g, "\\'"),
+					userJSON: jsesc(JSON.stringify(userData), { isScriptContext: true }),
 					plugins: results.custom_header.plugins,
 					authentication: results.custom_header.authentication,
 					scripts: results.scripts,
diff --git a/test/controllers-admin.js b/test/controllers-admin.js
index e7664ca53f..4a82ceb50c 100644
--- a/test/controllers-admin.js
+++ b/test/controllers-admin.js
@@ -578,4 +578,33 @@ describe('Admin Controllers', function () {
 			});
 		});
 	});
+
+	it('should escape special characters in config', function (done) {
+		var plugins = require('../src/plugins');
+		function onConfigGet(config, callback) {
+			config.someValue = '"foo"';
+			config.otherValue = "'123'";
+			config.script = '</script>';
+			callback(null, config);
+		}
+		plugins.registerHook('somePlugin', { hook: 'filter:config.get', method: onConfigGet });
+		request(nconf.get('url') + '/admin', { jar: jar }, function (err, res, body) {
+			assert.ifError(err);
+			assert.equal(res.statusCode, 200);
+			assert(body);
+			assert(body.indexOf('"someValue":"\\\\"foo\\\\""') !== -1);
+			assert(body.indexOf('"otherValue":"\\\'123\\\'"') !== -1);
+			assert(body.indexOf('"script":"<\\/script>"') !== -1);
+			request(nconf.get('url'), { jar: jar }, function (err, res, body) {
+				assert.ifError(err);
+				assert.equal(res.statusCode, 200);
+				assert(body);
+				assert(body.indexOf('"someValue":"\\\\"foo\\\\""') !== -1);
+				assert(body.indexOf('"otherValue":"\\\'123\\\'"') !== -1);
+				assert(body.indexOf('"script":"<\\/script>"') !== -1);
+				plugins.unregisterHook('somePlugin', 'filter:config.get', onConfigGet);
+				done();
+			});
+		});
+	});
 });