Permalink
Browse files

escape email in registration queue and invites

  • Loading branch information...
barisusakli committed Dec 1, 2017
1 parent 50e824f commit e3fd4020706ae1e44c92bc3da1b0385d628c503f
Showing with 28 additions and 5 deletions.
  1. +2 −0 src/user/approval.js
  2. +12 −2 src/user/invite.js
  3. +1 −1 src/views/admin/manage/users.tpl
  4. +13 −2 test/user.js
@@ -4,6 +4,7 @@
var async = require('async');
var request = require('request');
var winston = require('winston');
var validator = require('validator');
var db = require('../database');
var meta = require('../meta');
@@ -168,6 +169,7 @@ module.exports = function (User) {
function (users, next) {
users = users.filter(Boolean).map(function (user, index) {
user.timestampISO = utils.toISOString(data[index].score);
user.email = validator.escape(String(user.email));
delete user.hashedPassword;
return user;
});
@@ -3,17 +3,27 @@
var async = require('async');
var nconf = require('nconf');
var validator = require('validator');
var db = require('./../database');
var meta = require('../meta');
var emailer = require('../emailer');
var translator = require('../translator');
var utils = require('../utils');
module.exports = function (User) {
User.getInvites = function (uid, callback) {
db.getSetMembers('invitation:uid:' + uid, callback);
async.waterfall([
function (next) {
db.getSetMembers('invitation:uid:' + uid, next);
},
function (emails, next) {
emails = emails.map(function (email) {
return validator.escape(String(email));
});
next(null, emails);
},
], callback);
};
User.getInvitesNumber = function (uid, callback) {
@@ -28,7 +28,7 @@
<a target="_blank" href="{config.relative_path}/api/admin/users/csv" class="btn btn-primary pull-right">[[admin/manage/users:download-csv]]</a>
<!-- IF inviteOnly -->
<button component="user/invite" class="btn btn-success form-control"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
<button component="user/invite" class="btn btn-success pull-right"><i class="fa fa-users"></i> [[admin/manage/users:invite]]</button>
<!-- ENDIF inviteOnly -->
<button id="createUser" class="btn btn-primary pull-right">[[admin/manage/users:new]]</button>
@@ -1405,15 +1405,15 @@ describe('User', function () {
username: 'rejectme',
password: '123456',
'password-confirm': '123456',
email: 'reject@me.com',
email: '<script>alert("ok");<script>reject@me.com',
}, function (err) {
assert.ifError(err);
helpers.loginUser('admin', '123456', function (err, jar) {
assert.ifError(err);
request(nconf.get('url') + '/api/admin/manage/registration', { jar: jar, json: true }, function (err, res, body) {
assert.ifError(err);
assert.equal(body.users[0].username, 'rejectme');
assert.equal(body.users[0].email, 'reject@me.com');
assert.equal(body.users[0].email, '&lt;script&gt;alert(&quot;ok&quot;);&lt;script&gt;reject@me.com');
done();
});
});
@@ -1600,6 +1600,17 @@ describe('User', function () {
});
});
});
it('should escape email', function (done) {
socketUser.invite({ uid: inviterUid }, '<script>alert("ok");</script>', function (err) {
assert.ifError(err);
User.getInvites(inviterUid, function (err, data) {
assert.ifError(err);
assert.equal(data[0], '&lt;script&gt;alert(&quot;ok&quot;);&lt;&#x2F;script&gt;');
done();
});
});
});
});
describe('email confirm', function () {

0 comments on commit e3fd402

Please sign in to comment.