From adf4be783696c6f29222bbdb8be3176184dd42ff Mon Sep 17 00:00:00 2001
From: witzig <git.witzig@icloud.com>
Date: Sun, 19 Mar 2017 15:53:41 +0100
Subject: [PATCH] Fixed security issue where custom form description tags were
 able to include script tags

---
 lib/models/forms.js | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/lib/models/forms.js b/lib/models/forms.js
index a47135cf..b86aee6e 100644
--- a/lib/models/forms.js
+++ b/lib/models/forms.js
@@ -102,6 +102,9 @@ module.exports.create = (listId, form, callback) => {
     Object.keys(form).forEach(key => {
         let value = form[key].trim();
         key = tools.toDbKey(key);
+        if (key === 'description') {
+            value = tools.purifyHTML(value);
+        }
         if (allowedKeys.indexOf(key) >= 0) {
             keys.push(key);
             values.push(value);
@@ -146,6 +149,9 @@ module.exports.update = (id, updates, callback) => {
     Object.keys(updates).forEach(key => {
         let value = typeof updates[key] === 'string' ? updates[key].trim() : updates[key];
         key = tools.toDbKey(key);
+        if (key === 'description') {
+            value = tools.purifyHTML(value);
+        }
         if (allowedKeys.indexOf(key) >= 0) {
             keys.push(key);
             values.push(value);