Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP
Browse files

Sanitize browse args

Fix #86
  • Loading branch information...
commit 0465ea107461ffdfa183853559f2b7bce8c6c06e 1 parent 108a9b0
isaacs isaacs authored
Showing with 11 additions and 6 deletions.
  1. +11 −6 routes/browse.js
17 routes/browse.js
View
@@ -1,6 +1,7 @@
module.exports = browse
var pageSize = 100
+, sanitizer = require('sanitizer')
// url is something like:
// /browse/{type?}/{arg?}/{page}
@@ -19,16 +20,20 @@ function browse (req, res) {
s = s.split('/')
var type = s.shift()
var arg
- if (!type) {
+
+ if (!type)
type = 'updated'
- }
- if (type !== 'all' && type !== 'updated') {
- // everything but 'all' optionally takes an arg.
+
+ // everything but 'all' optionally takes an arg.
+ if (type !== 'all' && type !== 'updated')
arg = s.shift()
- }
var browseby = type
- if (arg) browseby += '/' + encodeURIComponent(arg)
+ if (arg)
+ arg = sanitizer.sanitize(arg).replace(/<[^\>]+>/g, '').trim()
+ if (arg)
+ browseby += '/' + encodeURIComponent(arg)
+
var title
var start = page * pageSize
Please sign in to comment.
Something went wrong with that request. Please try again.