do not allow script tags in description html

2017-03-19 14:22:44 +02:00 · 2017-03-19 14:22:44 +02:00 · ae6affda81
commit ae6affda81
parent 0879fa412a
5 changed files with 32 additions and 0 deletions
--- a/lib/models/lists.js
+++ b/lib/models/lists.js
@ -123,6 +123,9 @@ module.exports.create = (list, callback) => {
    Object.keys(list).forEach(key => {
        let value = list[key].trim();
        key = tools.toDbKey(key);
+        if (key === 'description') {
+            value = tools.purifyHTML(value);
+        }
        if (allowedKeys.indexOf(key) >= 0) {
            keys.push(key);
            values.push(value);
@ -182,6 +185,9 @@ module.exports.update = (id, updates, callback) => {
    Object.keys(updates).forEach(key => {
        let value = updates[key].trim();
        key = tools.toDbKey(key);
+        if (key === 'description') {
+            value = tools.purifyHTML(value);
+        }
        if (allowedKeys.indexOf(key) >= 0) {
            keys.push(key);
            values.push(value);