public/mailtrain
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fixed security issue where custom form description tags were able to include script tags

Browse source
This commit is contained in:
witzig 2017-03-19 15:53:41 +01:00
parent b09af60fac
commit adf4be7836
1 changed files with 6 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

6
lib/models/forms.js
View file

@ -102,6 +102,9 @@ module.exports.create = (listId, form, callback) => {
Object.keys(form).forEach(key => { Object.keys(form).forEach(key => {
let value = form[key].trim(); let value = form[key].trim();
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0) { if (allowedKeys.indexOf(key) >= 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);
@ -146,6 +149,9 @@ module.exports.update = (id, updates, callback) => {
Object.keys(updates).forEach(key => { Object.keys(updates).forEach(key => {
let value = typeof updates[key] === 'string' ? updates[key].trim() : updates[key]; let value = typeof updates[key] === 'string' ? updates[key].trim() : updates[key];
key = tools.toDbKey(key); key = tools.toDbKey(key);
if (key === 'description') {
value = tools.purifyHTML(value);
}
if (allowedKeys.indexOf(key) >= 0) { if (allowedKeys.indexOf(key) >= 0) {
keys.push(key); keys.push(key);
values.push(value); values.push(value);