Nemcio/NodeBB
1
0
Fork 0
mirror of https://github.com/NodeBB/NodeBB.git synced 2026-07-01 01:17:45 +02:00
Code Issues Packages Projects Releases Wiki Activity

escape moderation notes

Browse Source
This commit is contained in:
Baris Usakli
2017-08-18 11:23:15 -04:00
parent db13aac106
commit dc9b21021a
3 changed files with 19 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
src/controllers/accounts/info.js
View File

@@ -47,24 +47,21 @@ infoController.get = function (req, res, callback) {
},
}, next);
},
], function (err, data) {
if (err) {
return callback(err);
}
function (data) {
userData.history = data.history;
userData.sessions = data.sessions;
userData.usernames = data.usernames;
userData.emails = data.emails;
userData.history = data.history;
userData.sessions = data.sessions;
userData.usernames = data.usernames;
userData.emails = data.emails;
if (userData.isAdminOrGlobalModeratorOrModerator) {
userData.moderationNotes = data.notes.notes;
var pageCount = Math.ceil(data.notes.count / itemsPerPage);
userData.pagination = pagination.create(page, pageCount, req.query);
}
userData.title = '[[pages:account/info]]';
userData.breadcrumbs = helpers.buildBreadcrumbs([{ text: userData.username, url: '/user/' + userData.userslug }, { text: '[[user:account_info]]' }]);
if (userData.isAdminOrGlobalModeratorOrModerator) {
userData.moderationNotes = data.notes.notes;
var pageCount = Math.ceil(data.notes.count / itemsPerPage);
userData.pagination = pagination.create(page, pageCount, req.query);
}
userData.title = '[[pages:account/info]]';
userData.breadcrumbs = helpers.buildBreadcrumbs([{ text: userData.username, url: '/user/' + userData.userslug }, { text: '[[user:account_info]]' }]);
res.render('account/info', userData);
});
res.render('account/info', userData);
},
], callback);
};

1
src/user/info.js
View File

@@ -166,6 +166,7 @@ module.exports = function (User) {
var data = JSON.parse(note);
uids.push(data.uid);
data.timestampISO = utils.toISOString(data.timestamp);
data.note = validator.escape(String(data.note));
return data;
} catch (err) {
return next(err);

5
test/user.js
View File

@@ -1236,15 +1236,16 @@ describe('User', function () {
setTimeout(next, 50);
},
function (next) {
socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: 'second moderation note' }, next);
socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: '<svg/onload=alert(document.location);//' }, next);
},
function (next) {
User.getModerationNotes(testUid, 0, -1, next);
},
], function (err, notes) {
assert.ifError(err);
assert.equal(notes[0].note, 'second moderation note');
assert.equal(notes[0].note, '&lt;svg&#x2F;onload=alert(document.location);&#x2F;&#x2F;');
assert.equal(notes[0].uid, adminUid);
assert.equal(notes[1].note, 'this is a test user');
assert(notes[0].timestamp);
done();
});