escape email in registration queue and invites

NodeBB · Dec 1, 2017 · e3fd4020706ae1e44c92bc3da1b0385d628c503f · e3fd402
1 parent 50e824f
commit e3fd4020706ae1e44c92bc3da1b0385d628c503f
Unified Split

Showing with 28 additions and 5 deletions.

+2 −0 src/user/approval.js

+12 −2 src/user/invite.js

+1 −1 src/views/admin/manage/users.tpl

+13 −2 test/user.js
diff --git a/src/user/approval.js b/src/user/approval.js
@@ -4,6 +4,7 @@
 var async = require('async');
 var request = require('request');
 var winston = require('winston');
+var validator = require('validator');

 var db = require('../database');
 var meta = require('../meta');
@@ -168,6 +169,7 @@ module.exports = function (User) {
 			function (users, next) {
 				users = users.filter(Boolean).map(function (user, index) {
 					user.timestampISO = utils.toISOString(data[index].score);
+					user.email = validator.escape(String(user.email));
 					delete user.hashedPassword;
 					return user;
 				});
diff --git a/src/user/invite.js b/src/user/invite.js
@@ -3,17 +3,27 @@

 var async = require('async');
 var nconf = require('nconf');
+var validator = require('validator');

 var db = require('./../database');
 var meta = require('../meta');
 var emailer = require('../emailer');
 var translator = require('../translator');
 var utils = require('../utils');

-
 module.exports = function (User) {
 	User.getInvites = function (uid, callback) {
-		db.getSetMembers('invitation:uid:' + uid, callback);
+		async.waterfall([
+			function (next) {
+				db.getSetMembers('invitation:uid:' + uid, next);
+			},
+			function (emails, next) {
+				emails = emails.map(function (email) {
+					return validator.escape(String(email));
+				});
+				next(null, emails);
+			},
+		], callback);
 	};

 	User.getInvitesNumber = function (uid, callback) {
diff --git a/src/views/admin/manage/users.tpl b/src/views/admin/manage/users.tpl
@@ -28,7 +28,7 @@
 					<a target="_blank" href="{config.relative_path}/api/admin/users/csv" class="btn btn-primary pull-right">[[admin/manage/users:download-csv]]</a>

 					<!-- IF inviteOnly -->
-					<button component="user/invite" class="btn btn-success form-control"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
+					<button component="user/invite" class="btn btn-success pull-right"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
 					<!-- ENDIF inviteOnly -->

 					<button id="createUser" class="btn btn-primary pull-right">[[admin/manage/users:new]]</button>
diff --git a/test/user.js b/test/user.js
@@ -1405,15 +1405,15 @@ describe('User', function () {
 				username: 'rejectme',
 				password: '123456',
 				'password-confirm': '123456',
-				email: 'reject@me.com',
+				email: '<script>alert("ok");<script>reject@me.com',
 			}, function (err) {
 				assert.ifError(err);
 				helpers.loginUser('admin', '123456', function (err, jar) {
 					assert.ifError(err);
 					request(nconf.get('url') + '/api/admin/manage/registration', { jar: jar, json: true }, function (err, res, body) {
 						assert.ifError(err);
 						assert.equal(body.users[0].username, 'rejectme');
-						assert.equal(body.users[0].email, 'reject@me.com');
+						assert.equal(body.users[0].email, '&lt;script&gt;alert(&quot;ok&quot;);&lt;script&gt;reject@me.com');
 						done();
 					});
 				});
@@ -1600,6 +1600,17 @@ describe('User', function () {
 				});
 			});
 		});
+
+		it('should escape email', function (done) {
+			socketUser.invite({ uid: inviterUid }, '<script>alert("ok");</script>', function (err) {
+				assert.ifError(err);
+				User.getInvites(inviterUid, function (err, data) {
+					assert.ifError(err);
+					assert.equal(data[0], '&lt;script&gt;alert(&quot;ok&quot;);&lt;&#x2F;script&gt;');
+					done();
+				});
+			});
+		});
 	});

 	describe('email confirm', function () {