From d1540322c97519d97cbfe6345b016b6ceaf7c64d Mon Sep 17 00:00:00 2001
From: barisusakli <barisusakli@gmail.com>
Date: Fri, 26 Dec 2014 15:44:00 -0500
Subject: [PATCH] closes #2555

---
 src/controllers/accounts.js | 3 ++-
 src/user/profile.js         | 4 ++--
 2 files changed, 4 insertions(+), 3 deletions(-)

diff --git a/src/controllers/accounts.js b/src/controllers/accounts.js
index 01f63b345d..804541fe42 100644
--- a/src/controllers/accounts.js
+++ b/src/controllers/accounts.js
@@ -7,6 +7,7 @@ var fs = require('fs'),
 	winston = require('winston'),
 	nconf = require('nconf'),
 	async = require('async'),
+	validator = require('validator'),
 
 	db = require('../database'),
 	user = require('../user'),
@@ -95,7 +96,7 @@ function getUserDataByUserSlug(userslug, callerUID, callback) {
 			userData.profile_links = results.profile_links;
 			userData.status = websockets.isUserOnline(userData.uid) ? (userData.status || 'online') : 'offline';
 			userData.banned = parseInt(userData.banned, 10) === 1;
-			userData.websiteName = userData.website.replace('http://', '').replace('https://', '');
+			userData.websiteName = userData.website.replace(validator.escape('http://'), '').replace(validator.escape('https://'), '');
 			userData.followingCount = results.followStats.followingCount;
 			userData.followerCount = results.followStats.followerCount;
 
diff --git a/src/user/profile.js b/src/user/profile.js
index b64398413c..866cc05219 100644
--- a/src/user/profile.js
+++ b/src/user/profile.js
@@ -116,8 +116,8 @@ module.exports = function(User) {
 				} else if (field === 'signature') {
 					data[field] = S(data[field]).stripTags().s;
 				} else if (field === 'website') {
-					if(data[field].substr(0, 7) !== 'http://' && data[field].substr(0, 8) !== 'https://') {
-						data[field] = 'http://' + data[field];
+					if (!data[field].startsWith(validator.escape('http://')) && !data[field].startsWith(validator.escape('https://'))) {
+						data[field] = validator.escape('http://') + data[field];
 					}
 				}