From c58b5ac054240f36e0bf96e6754bfe195f0a659a Mon Sep 17 00:00:00 2001 From: Benjamin Kiessling Date: Sat, 21 Jan 2012 22:29:35 +0100 Subject: Sanitize user input --- frontend.js | 17 +++++++++++++---- 1 file changed, 13 insertions(+), 4 deletions(-) diff --git a/frontend.js b/frontend.js index 90fc67a..30b5457 100644 --- a/frontend.js +++ b/frontend.js @@ -1,5 +1,6 @@ var path = require('path'); var fs = require('fs'); +var sanitize =require('validator').sanitize; var model; @@ -19,13 +20,16 @@ exports.start = function(config) { var slideStr = ''; for(var slide in slides['slides']) { if(!slides['slides'].hasOwnProperty(slide)) { continue; } + var media = sanitize(slides['slides'][slide]['file']).entityEncode(); if(slides['slides'][slide]['type'] === 'image') { - slideStr = slideStr +'
  • '; + slideStr = slideStr +'
  • '; } if(slides['slides'][slide]['head'].length > 0) { - slideStr = slideStr+'
    '+slides['slides'][slide]['head']+'
    '; + var head = sanitize(slides['slides'][slide]['head']).xss(); + slideStr = slideStr+'
    '+head+'
    '; if(slides['slides'][slide]['text'].length > 0) { - slideStr = slideStr+'
    '+slides['slides'][slide]['text']+'
    '; + var text = sanitize(slides['slides'][slide]['text']).xss(); + slideStr = slideStr+'
    '+text+'
    '; } slideStr = slideStr + '
    '; } @@ -40,7 +44,12 @@ exports.start = function(config) { eventStr = eventStr + '
  • '; for(var evF in slides['events'][date][ev]) { if(!slides['events'][date][ev].hasOwnProperty(evF)) { continue; } - eventStr = eventStr + '
    ' + slides['events'][date][ev][evF] + '
    '; + if(typeof slides['events'][date][ev][evF] == 'string') { + var evClass = evF; + var evField = sanitize(slides['events'][date][ev][evF]).entityEncode(); + var evField = evField.replace(/\\n/g, '
    '); + eventStr = eventStr + '
    ' + evField + '
    '; + } } eventStr = eventStr + '
  • '; } -- cgit v1.2.1