From c973a9caba07f8a72f79f1ee117045a4bb2c0c87 Mon Sep 17 00:00:00 2001 From: Opliko Date: Thu, 9 May 2024 11:25:05 +0200 Subject: [PATCH] fix: encode most uses of pid to avoid more bugs like #12545 --- public/src/client/topic.js | 8 ++++---- public/src/client/topic/delete-posts.js | 4 ++-- public/src/client/topic/diffs.js | 8 ++++---- public/src/client/topic/move-post.js | 2 +- public/src/client/topic/postTools.js | 2 +- public/src/modules/topicThumbs.js | 2 +- src/topics/posts.js | 2 +- 7 files changed, 14 insertions(+), 14 deletions(-) diff --git a/public/src/client/topic.js b/public/src/client/topic.js index b4dd497dc3..48132a29fa 100644 --- a/public/src/client/topic.js +++ b/public/src/client/topic.js @@ -302,7 +302,7 @@ define('forum/topic', [ destroyed = false; async function renderPost(pid) { - const postData = postCache[pid] || await api.get(`/posts/${pid}/summary`); + const postData = postCache[pid] || await api.get(`/posts/${encodeURIComponent(pid)}/summary`); $('#post-tooltip').remove(); if (postData && ajaxify.data.template.topic) { postCache[pid] = postData; @@ -329,11 +329,11 @@ define('forum/topic', [ const pathname = location.pathname; const validHref = href && href !== '#' && window.location.hostname === location.hostname; $('#post-tooltip').remove(); - const postMatch = validHref && pathname && pathname.match(/\/post\/([\d]+)/); - const topicMatch = validHref && pathname && pathname.match(/\/topic\/([\d]+)/); + const postMatch = validHref && pathname && pathname.match(/\/post\/([\d]+|(?:[\w_.~!$&'()*+,;=:@-]|%[\dA-F]{2})+)/); + const topicMatch = validHref && pathname && pathname.match(/\/topic\/([\da-z-]+)/); if (postMatch) { const pid = postMatch[1]; - if (parseInt(link.parents('[component="post"]').attr('data-pid'), 10) === parseInt(pid, 10)) { + if (link.parents('[component="post"]').attr('data-pid') === pid) { return; // dont render self post } diff --git a/public/src/client/topic/delete-posts.js b/public/src/client/topic/delete-posts.js index 6ce4e0f8a0..58b4058f09 100644 --- a/public/src/client/topic/delete-posts.js +++ b/public/src/client/topic/delete-posts.js @@ -35,10 +35,10 @@ define('forum/topic/delete-posts', [ showPostsSelected(); deleteBtn.on('click', function () { - deletePosts(deleteBtn, pid => `/posts/${pid}/state`); + deletePosts(deleteBtn, pid => `/posts/${encodeURIComponent(pid)}/state`); }); purgeBtn.on('click', function () { - deletePosts(purgeBtn, pid => `/posts/${pid}`); + deletePosts(purgeBtn, pid => `/posts/${encodeURIComponent(pid)}`); }); }); }; diff --git a/public/src/client/topic/diffs.js b/public/src/client/topic/diffs.js index 22fca5868e..6fb5c9e018 100644 --- a/public/src/client/topic/diffs.js +++ b/public/src/client/topic/diffs.js @@ -9,7 +9,7 @@ define('forum/topic/diffs', ['api', 'bootbox', 'alerts', 'forum/topic/images'], return; } - api.get(`/posts/${pid}/diffs`, {}).then((data) => { + api.get(`/posts/${encodeURIComponent(pid)}/diffs`, {}).then((data) => { parsePostHistory(data).then(($html) => { const $modal = bootbox.dialog({ title: '[[topic:diffs.title]]', @@ -57,7 +57,7 @@ define('forum/topic/diffs', ['api', 'bootbox', 'alerts', 'forum/topic/images'], return; } - api.get(`/posts/${pid}/diffs/${since}`, {}).then((data) => { + api.get(`/posts/${encodeURIComponent(pid)}/diffs/${since}`, {}).then((data) => { data.deleted = !!parseInt(data.deleted, 10); app.parseAndTranslate('partials/posts_list', 'posts', { @@ -74,14 +74,14 @@ define('forum/topic/diffs', ['api', 'bootbox', 'alerts', 'forum/topic/images'], return; } - api.put(`/posts/${pid}/diffs/${since}`, {}).then(() => { + api.put(`/posts/${encodeURIComponent(pid)}/diffs/${since}`, {}).then(() => { $modal.modal('hide'); alerts.success('[[topic:diffs.post-restored]]'); }).catch(alerts.error); }; Diffs.delete = function (pid, timestamp, $selectEl, $numberOfDiffCon) { - api.del(`/posts/${pid}/diffs/${timestamp}`).then((data) => { + api.del(`/posts/${encodeURIComponent(pid)}/diffs/${timestamp}`).then((data) => { parsePostHistory(data, 'diffs').then(($html) => { $selectEl.empty().append($html); $selectEl.trigger('change'); diff --git a/public/src/client/topic/move-post.js b/public/src/client/topic/move-post.js index 555737d194..3c154b9374 100644 --- a/public/src/client/topic/move-post.js +++ b/public/src/client/topic/move-post.js @@ -141,7 +141,7 @@ define('forum/topic/move-post', [ return; } - Promise.all(data.pids.map(pid => api.put(`/posts/${pid}/move`, { + Promise.all(data.pids.map(pid => api.put(`/posts/${encodeURIComponent(pid)}/move`, { tid: data.tid, }))).then(() => { data.pids.forEach(function (pid) { diff --git a/public/src/client/topic/postTools.js b/public/src/client/topic/postTools.js index dd90972c3c..92348d07a4 100644 --- a/public/src/client/topic/postTools.js +++ b/public/src/client/topic/postTools.js @@ -360,7 +360,7 @@ define('forum/topic/postTools', [ function bookmarkPost(button, pid) { const method = button.attr('data-bookmarked') === 'false' ? 'put' : 'del'; - api[method](`/posts/${pid}/bookmark`, undefined, function (err) { + api[method](`/posts/${encodeURIComponent(pid)}/bookmark`, undefined, function (err) { if (err) { return alerts.error(err); } diff --git a/public/src/modules/topicThumbs.js b/public/src/modules/topicThumbs.js index 8c4305abaa..368ecf71b0 100644 --- a/public/src/modules/topicThumbs.js +++ b/public/src/modules/topicThumbs.js @@ -7,7 +7,7 @@ define('topicThumbs', [ Thumbs.get = id => api.get(`/topics/${id}/thumbs`, {}); - Thumbs.getByPid = pid => api.get(`/posts/${pid}`, {}).then(post => Thumbs.get(post.tid)); + Thumbs.getByPid = pid => api.get(`/posts/${encodeURIComponent(pid)}`, {}).then(post => Thumbs.get(post.tid)); Thumbs.delete = (id, path) => api.del(`/topics/${id}/thumbs`, { path: path, diff --git a/src/topics/posts.js b/src/topics/posts.js index b2eb70d382..272b4d77ac 100644 --- a/src/topics/posts.js +++ b/src/topics/posts.js @@ -443,7 +443,7 @@ module.exports = function (Topics) { await Topics.events.log(tid, { uid, type: 'backlink', - href: `/post/${pid}`, + href: `/post/${encodeURIComponent(pid)}`, }); }));