From bb224184d8aa4460b70d4432eb794e32ea2e8d34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Fri, 31 Jul 2020 13:37:14 -0400 Subject: [PATCH] fix: #8539, enforce content checks for post queue --- src/posts/queue.js | 6 ++++++ src/topics/create.js | 44 ++++++++++++++++++++++++++------------------ 2 files changed, 32 insertions(+), 18 deletions(-) diff --git a/src/posts/queue.js b/src/posts/queue.js index 8a54f499184d..2134f44fe9f7 100644 --- a/src/posts/queue.js +++ b/src/posts/queue.js @@ -94,6 +94,12 @@ module.exports = function (Posts) { reply: 'topics:reply', }; + topics.checkContent(data.content); + if (type === 'topic') { + topics.checkTitle(data.title); + await topics.validateTags(data.tags); + } + const [canPost] = await Promise.all([ privileges.categories.can(typeToPrivilege[type], cid, data.uid), user.isReadyToQueue(data.uid, cid), diff --git a/src/topics/create.js b/src/topics/create.js index ad7902d6ce45..7471b3bde9c3 100644 --- a/src/topics/create.js +++ b/src/topics/create.js @@ -1,24 +1,24 @@ 'use strict'; -var _ = require('lodash'); -var validator = require('validator'); - -var db = require('../database'); -var utils = require('../utils'); -var plugins = require('../plugins'); -var analytics = require('../analytics'); -var user = require('../user'); -var meta = require('../meta'); -var posts = require('../posts'); -var privileges = require('../privileges'); -var categories = require('../categories'); +const _ = require('lodash'); +const validator = require('validator'); + +const db = require('../database'); +const utils = require('../utils'); +const plugins = require('../plugins'); +const analytics = require('../analytics'); +const user = require('../user'); +const meta = require('../meta'); +const posts = require('../posts'); +const privileges = require('../privileges'); +const categories = require('../categories'); const translator = require('../translator'); module.exports = function (Topics) { Topics.create = async function (data) { // This is an internal method, consider using Topics.post instead - var timestamp = data.timestamp || Date.now(); + const timestamp = data.timestamp || Date.now(); await Topics.resizeAndUploadThumb(data); const tid = await db.incrObjectField('global', 'nextTid'); @@ -71,9 +71,9 @@ module.exports = function (Topics) { if (data.content) { data.content = utils.rtrim(data.content); } - check(data.title, meta.config.minimumTitleLength, meta.config.maximumTitleLength, 'title-too-short', 'title-too-long'); + Topics.checkTitle(data.title); await Topics.validateTags(data.tags, data.cid); - check(data.content, meta.config.minimumPostLength, meta.config.maximumPostLength, 'content-too-short', 'content-too-long'); + Topics.checkContent(data.content); const [categoryExists, canCreate, canTag] = await Promise.all([ categories.exists(data.cid), @@ -135,8 +135,8 @@ module.exports = function (Topics) { }; Topics.reply = async function (data) { - var tid = data.tid; - var uid = data.uid; + const tid = data.tid; + const uid = data.uid; const topicData = await Topics.getTopicData(tid); if (!topicData) { @@ -170,7 +170,7 @@ module.exports = function (Topics) { if (data.content) { data.content = utils.rtrim(data.content); } - check(data.content, meta.config.minimumPostLength, meta.config.maximumPostLength, 'content-too-short', 'content-too-long'); + Topics.checkContent(data.content); data.ip = data.req ? data.req.ip : null; let postData = await posts.create(data); @@ -235,6 +235,14 @@ module.exports = function (Topics) { return postData; } + Topics.checkTitle = function (title) { + check(title, meta.config.minimumTitleLength, meta.config.maximumTitleLength, 'title-too-short', 'title-too-long'); + }; + + Topics.checkContent = function (content) { + check(content, meta.config.minimumPostLength, meta.config.maximumPostLength, 'content-too-short', 'content-too-long'); + }; + function check(item, min, max, minError, maxError) { // Trim and remove HTML (latter for composers that send in HTML, like redactor) if (typeof item === 'string') {