From babb9d7c555d3f24c5f4a6e8d5be4054054b4811 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Mon, 23 Sep 2019 23:50:04 -0400 Subject: [PATCH] fix: #7913, dont allow urls in fullname/location, validate birthday --- public/language/en-GB/error.json | 3 ++ src/user/profile.js | 57 +++++++++++++++++++++++++++----- 2 files changed, 51 insertions(+), 9 deletions(-) diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json index 9fed1f178f..55dde13268 100644 --- a/public/language/en-GB/error.json +++ b/public/language/en-GB/error.json @@ -14,6 +14,9 @@ "invalid-username": "Invalid Username", "invalid-email": "Invalid Email", + "invalid-fullname": "Invalid Fullname", + "invalid-location": "Invalid Location", + "invalid-birthday": "Invalid Birthday", "invalid-title": "Invalid title", "invalid-user-data": "Invalid User Data", "invalid-password": "Invalid Password", diff --git a/src/user/profile.js b/src/user/profile.js index 589e539f54..9ce0bcb876 100644 --- a/src/user/profile.js +++ b/src/user/profile.js @@ -2,6 +2,7 @@ 'use strict'; const async = require('async'); +const validator = require('validator'); const utils = require('../utils'); const meta = require('../meta'); @@ -11,10 +12,12 @@ const plugins = require('../plugins'); module.exports = function (User) { User.updateProfile = async function (uid, data) { - var fields = ['username', 'email', 'fullname', 'website', 'location', - 'groupTitle', 'birthday', 'signature', 'aboutme']; + let fields = [ + 'username', 'email', 'fullname', 'website', 'location', + 'groupTitle', 'birthday', 'signature', 'aboutme', + ]; - var updateUid = data.uid; + const updateUid = data.uid; const result = await plugins.fireHook('filter:user.updateProfile', { uid: uid, data: data, fields: fields }); fields = result.fields; @@ -51,6 +54,9 @@ module.exports = function (User) { await isWebsiteValid(callerUid, data); await isAboutMeValid(callerUid, data); await isSignatureValid(callerUid, data); + isFullnameValid(data); + isLocationValid(data); + isBirthdayValid(data); isGroupTitleValid(data); } @@ -101,12 +107,6 @@ module.exports = function (User) { } } - function isGroupTitleValid(data) { - if (data.groupTitle === 'registered-users' || groups.isPrivilegeGroup(data.groupTitle)) { - throw new Error('[[error:invalid-group-title]]'); - } - } - async function isWebsiteValid(callerUid, data) { if (!data.website) { return; @@ -135,6 +135,45 @@ module.exports = function (User) { await User.checkMinReputation(callerUid, data.uid, 'min:rep:signature'); } + function isFullnameValid(data) { + if (!data.fullname) { + return; + } + if (validator.isURL(data.fullname)) { + throw new Error('[[error:invalid-fullname]]'); + } + } + + function isLocationValid(data) { + if (!data.location) { + return; + } + if (validator.isURL(data.location)) { + throw new Error('[[error:invalid-location]]'); + } + } + + function isBirthdayValid(data) { + if (!data.birthday) { + return; + } + + try { + const result = new Date(data.birthday); + if (result && result.toString() === 'Invalid Date') { + throw new Error('[[error:invalid-birthday]]'); + } + } catch (err) { + throw new Error('[[error:invalid-birthday]]'); + } + } + + function isGroupTitleValid(data) { + if (data.groupTitle === 'registered-users' || groups.isPrivilegeGroup(data.groupTitle)) { + throw new Error('[[error:invalid-group-title]]'); + } + } + User.checkMinReputation = async function (callerUid, uid, setting) { const isSelf = parseInt(callerUid, 10) === parseInt(uid, 10); if (!isSelf || meta.config['reputation:disabled']) {