Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
escape email in registration queue and invites
- Loading branch information
Showing
with
28 additions
and
5 deletions.
-
+2
−0
src/user/approval.js
-
+12
−2
src/user/invite.js
-
+1
−1
src/views/admin/manage/users.tpl
-
+13
−2
test/user.js
|
|
@@ -4,6 +4,7 @@ |
|
|
var async = require('async'); |
|
|
var request = require('request'); |
|
|
var winston = require('winston'); |
|
|
var validator = require('validator'); |
|
|
|
|
|
var db = require('../database'); |
|
|
var meta = require('../meta'); |
|
|
@@ -168,6 +169,7 @@ module.exports = function (User) { |
|
|
function (users, next) { |
|
|
users = users.filter(Boolean).map(function (user, index) { |
|
|
user.timestampISO = utils.toISOString(data[index].score); |
|
|
user.email = validator.escape(String(user.email)); |
|
|
delete user.hashedPassword; |
|
|
return user; |
|
|
}); |
|
|
|
|
|
@@ -3,17 +3,27 @@ |
|
|
|
|
|
var async = require('async'); |
|
|
var nconf = require('nconf'); |
|
|
var validator = require('validator'); |
|
|
|
|
|
var db = require('./../database'); |
|
|
var meta = require('../meta'); |
|
|
var emailer = require('../emailer'); |
|
|
var translator = require('../translator'); |
|
|
var utils = require('../utils'); |
|
|
|
|
|
|
|
|
module.exports = function (User) { |
|
|
User.getInvites = function (uid, callback) { |
|
|
db.getSetMembers('invitation:uid:' + uid, callback); |
|
|
async.waterfall([ |
|
|
function (next) { |
|
|
db.getSetMembers('invitation:uid:' + uid, next); |
|
|
}, |
|
|
function (emails, next) { |
|
|
emails = emails.map(function (email) { |
|
|
return validator.escape(String(email)); |
|
|
}); |
|
|
next(null, emails); |
|
|
}, |
|
|
], callback); |
|
|
}; |
|
|
|
|
|
User.getInvitesNumber = function (uid, callback) { |
|
|
|
|
|
@@ -28,7 +28,7 @@ |
|
|
<a target="_blank" href="{config.relative_path}/api/admin/users/csv" class="btn btn-primary pull-right">[[admin/manage/users:download-csv]]</a> |
|
|
|
|
|
<!-- IF inviteOnly --> |
|
|
<button component="user/invite" class="btn btn-success form-control"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button> |
|
|
<button component="user/invite" class="btn btn-success pull-right"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button> |
|
|
<!-- ENDIF inviteOnly --> |
|
|
|
|
|
<button id="createUser" class="btn btn-primary pull-right">[[admin/manage/users:new]]</button> |
|
|
|
|
|
@@ -1405,15 +1405,15 @@ describe('User', function () { |
|
|
username: 'rejectme', |
|
|
password: '123456', |
|
|
'password-confirm': '123456', |
|
|
email: 'reject@me.com', |
|
|
email: '<script>alert("ok");<script>reject@me.com', |
|
|
}, function (err) { |
|
|
assert.ifError(err); |
|
|
helpers.loginUser('admin', '123456', function (err, jar) { |
|
|
assert.ifError(err); |
|
|
request(nconf.get('url') + '/api/admin/manage/registration', { jar: jar, json: true }, function (err, res, body) { |
|
|
assert.ifError(err); |
|
|
assert.equal(body.users[0].username, 'rejectme'); |
|
|
assert.equal(body.users[0].email, 'reject@me.com'); |
|
|
assert.equal(body.users[0].email, '<script>alert("ok");<script>reject@me.com'); |
|
|
done(); |
|
|
}); |
|
|
}); |
|
|
@@ -1600,6 +1600,17 @@ describe('User', function () { |
|
|
}); |
|
|
}); |
|
|
}); |
|
|
|
|
|
it('should escape email', function (done) { |
|
|
socketUser.invite({ uid: inviterUid }, '<script>alert("ok");</script>', function (err) { |
|
|
assert.ifError(err); |
|
|
User.getInvites(inviterUid, function (err, data) { |
|
|
assert.ifError(err); |
|
|
assert.equal(data[0], '<script>alert("ok");</script>'); |
|
|
done(); |
|
|
}); |
|
|
}); |
|
|
}); |
|
|
}); |
|
|
|
|
|
describe('email confirm', function () { |
|
|
|
