Browse files

browse: Escape user input

  • Loading branch information...
1 parent 8fad513 commit 7f727fa028eb56c98d852530193538e1573bf94f @isaacs isaacs committed Mar 8, 2013
Showing with 14 additions and 10 deletions.
  1. +14 −10 routes/browse.js
View
24 routes/browse.js
@@ -39,37 +39,41 @@ function browse (req, res) {
var start = page * pageSize
var limit = pageSize
req.model.load('browse', type, arg, start, limit)
+
+ var sarg
+ if (arg)
+ sarg = encodeURIComponent(arg)
switch (type) {
case 'all':
title = 'All Packages (alphabetically)'
break
case 'keyword':
title = 'Browse by Keyword'
- if (arg) title += ': ' + JSON.stringify(arg)
+ if (sarg) title += ': ' + JSON.stringify(sarg)
break
case 'author':
title = 'Browse by Author'
- if (arg) title += ': <a href="/profile/' +
- encodeURIComponent(arg) + '">' + encodeURIComponent(arg) +
+ if (sarg) title += ': <a href="/profile/' +
+ sarg + '">' + sarg +
'</a>'
break
case 'updated':
title = 'All Packages (by updated date)'
break
case 'depended':
- title = arg ? 'Packages depending on ' +
- '<a href="/package/' + arg + '">' + arg + '</a>'
+ title = sarg ? 'Packages depending on ' +
+ '<a href="/package/' + sarg + '">' + sarg + '</a>'
: 'Most Depended-upon Packages'
break
case 'star':
- title = arg ? 'Users who starred ' +
- '<a href="/package/' + arg + '">' + arg + '</a>'
+ title = sarg ? 'Users who starred ' +
+ '<a href="/package/' + sarg + '">' + sarg + '</a>'
: 'Most Starred Packages'
break
case 'userstar':
- title = arg ? 'Starred Packages By User: ' +
- '<a href="/profile/' + encodeURIComponent(arg) + '">' +
- encodeURIComponent(arg) + '</a>'
+ title = sarg ? 'Starred Packages By User: ' +
+ '<a href="/profile/' + sarg + '">' +
+ sarg + '</a>'
: 'Starred Packages by User'
break
default:

0 comments on commit 7f727fa

Please sign in to comment.