diff options
| author | Benjamin Kiessling <mittagessen@l.unchti.me> | 2012-01-21 22:29:35 +0100 |
|---|---|---|
| committer | Benjamin Kiessling <mittagessen@l.unchti.me> | 2012-01-21 22:29:35 +0100 |
| commit | c58b5ac054240f36e0bf96e6754bfe195f0a659a (patch) | |
| tree | 5e812376b27d05ffdd2785f1ed7ccadfd90632ce | |
| parent | 3f59dcaa616f88f0627957bedfcab1e4a5548045 (diff) | |
Sanitize user input
| -rw-r--r-- | frontend.js | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/frontend.js b/frontend.js index 90fc67a..30b5457 100644 --- a/frontend.js +++ b/frontend.js @@ -1,5 +1,6 @@ var path = require('path'); var fs = require('fs'); +var sanitize =require('validator').sanitize; var model; @@ -19,13 +20,16 @@ exports.start = function(config) { var slideStr = ''; for(var slide in slides['slides']) { if(!slides['slides'].hasOwnProperty(slide)) { continue; } + var media = sanitize(slides['slides'][slide]['file']).entityEncode(); if(slides['slides'][slide]['type'] === 'image') { - slideStr = slideStr +'<li><img src="/'+slides['slides'][slide]['file']+'">'; + slideStr = slideStr +'<li><img src="/'+media+'">'; } if(slides['slides'][slide]['head'].length > 0) { - slideStr = slideStr+'<div class="slideDesc"><div class="slideHead">'+slides['slides'][slide]['head']+'</div>'; + var head = sanitize(slides['slides'][slide]['head']).xss(); + slideStr = slideStr+'<div class="slideDesc"><div class="slideHead">'+head+'</div>'; if(slides['slides'][slide]['text'].length > 0) { - slideStr = slideStr+'<div class="slideText">'+slides['slides'][slide]['text']+'</div>'; + var text = sanitize(slides['slides'][slide]['text']).xss(); + slideStr = slideStr+'<div class="slideText">'+text+'</div>'; } slideStr = slideStr + '</div>'; } @@ -40,7 +44,12 @@ exports.start = function(config) { eventStr = eventStr + '<li class="eventEl">'; for(var evF in slides['events'][date][ev]) { if(!slides['events'][date][ev].hasOwnProperty(evF)) { continue; } - eventStr = eventStr + '<div class="eventField ' + evF + '">' + slides['events'][date][ev][evF] + '</div>'; + if(typeof slides['events'][date][ev][evF] == 'string') { + var evClass = evF; + var evField = sanitize(slides['events'][date][ev][evF]).entityEncode(); + var evField = evField.replace(/\\n/g, '<br/>'); + eventStr = eventStr + '<div class="eventField ' + evClass + '">' + evField + '</div>'; + } } eventStr = eventStr + '</li>'; } |