From ad2b44220d505779c39f012884652f4c7a693d9e Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?=
 <baris@nodebb.org>
Date: Tue, 27 Sep 2016 14:23:48 +0300
Subject: [PATCH] escape event data

---
 src/events.js | 19 ++++++++++++-------
 1 file changed, 12 insertions(+), 7 deletions(-)

diff --git a/src/events.js b/src/events.js
index 9ef6a05385..7f0f3a7ec2 100644
--- a/src/events.js
+++ b/src/events.js
@@ -1,13 +1,13 @@
 
 'use strict';
 
-var async = require('async'),
-
-	db =  require('./database'),
-	batch = require('./batch'),
-	user = require('./user'),
-	utils = require('../public/src/utils');
-
+var async = require('async');
+var validator = require('validator');
+	
+var db =  require('./database');
+var batch = require('./batch');
+var user = require('./user');
+var utils = require('../public/src/utils');
 
 (function(events) {
 	events.log = function(data, callback) {
@@ -54,6 +54,11 @@ var async = require('async'),
 			},
 			function(eventsData, next) {
 				eventsData.forEach(function(event) {
+					Object.keys(event).forEach(function(key) {
+						if (typeof event[key] === 'string') {
+							event[key] = validator.escape(String(event[key] || ''));	
+						}						
+					});
 					var e = utils.merge(event);
 					e.eid = e.uid = e.type = e.ip = e.user = undefined;
 					event.jsonString = JSON.stringify(e, null, 4);