Skip to content
Permalink
Browse files
escape moderation notes
  • Loading branch information
barisusakli committed Aug 18, 2017
1 parent db13aac commit dc9b21021ab08cba0478baa25e75017059ade05d
Showing with 19 additions and 20 deletions.
  1. +15 −18 src/controllers/accounts/info.js
  2. +1 −0 src/user/info.js
  3. +3 −2 test/user.js
@@ -47,24 +47,21 @@ infoController.get = function (req, res, callback) {
},
}, next);
},
], function (err, data) {
if (err) {
return callback(err);
}
function (data) {
userData.history = data.history;
userData.sessions = data.sessions;
userData.usernames = data.usernames;
userData.emails = data.emails;

userData.history = data.history;
userData.sessions = data.sessions;
userData.usernames = data.usernames;
userData.emails = data.emails;

if (userData.isAdminOrGlobalModeratorOrModerator) {
userData.moderationNotes = data.notes.notes;
var pageCount = Math.ceil(data.notes.count / itemsPerPage);
userData.pagination = pagination.create(page, pageCount, req.query);
}
userData.title = '[[pages:account/info]]';
userData.breadcrumbs = helpers.buildBreadcrumbs([{ text: userData.username, url: '/user/' + userData.userslug }, { text: '[[user:account_info]]' }]);
if (userData.isAdminOrGlobalModeratorOrModerator) {
userData.moderationNotes = data.notes.notes;
var pageCount = Math.ceil(data.notes.count / itemsPerPage);
userData.pagination = pagination.create(page, pageCount, req.query);
}
userData.title = '[[pages:account/info]]';
userData.breadcrumbs = helpers.buildBreadcrumbs([{ text: userData.username, url: '/user/' + userData.userslug }, { text: '[[user:account_info]]' }]);

res.render('account/info', userData);
});
res.render('account/info', userData);
},
], callback);
};
@@ -166,6 +166,7 @@ module.exports = function (User) {
var data = JSON.parse(note);
uids.push(data.uid);
data.timestampISO = utils.toISOString(data.timestamp);
data.note = validator.escape(String(data.note));
return data;
} catch (err) {
return next(err);
@@ -1236,15 +1236,16 @@ describe('User', function () {
setTimeout(next, 50);
},
function (next) {
socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: 'second moderation note' }, next);
socketUser.setModerationNote({ uid: adminUid }, { uid: testUid, note: '<svg/onload=alert(document.location);//' }, next);
},
function (next) {
User.getModerationNotes(testUid, 0, -1, next);
},
], function (err, notes) {
assert.ifError(err);
assert.equal(notes[0].note, 'second moderation note');
assert.equal(notes[0].note, '&lt;svg&#x2F;onload=alert(document.location);&#x2F;&#x2F;');
assert.equal(notes[0].uid, adminUid);
assert.equal(notes[1].note, 'this is a test user');
assert(notes[0].timestamp);
done();
});

0 comments on commit dc9b210

Please sign in to comment.