From 530f3f9f50611cb4d16a9765d1ef1984321bf5a3 Mon Sep 17 00:00:00 2001 From: David Ng Date: Tue, 24 Sep 2024 19:59:21 -0400 Subject: [PATCH 1/3] added sanitization feature --- src/controllers/write/topics.js | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/controllers/write/topics.js b/src/controllers/write/topics.js index b9691a8da5..f0a4bafa5f 100644 --- a/src/controllers/write/topics.js +++ b/src/controllers/write/topics.js @@ -17,7 +17,9 @@ Topics.get = async (req, res) => { Topics.create = async (req, res) => { const id = await lockPosting(req, '[[error:already-posting]]'); try { + console.log("Anonymous flag received in create:", req.body.anonymous); const payload = await api.topics.create(req, req.body); + console.log("Post object before save:", payload); if (payload.queued) { helpers.formatApiResponse(202, res, payload); } else { @@ -31,6 +33,20 @@ Topics.create = async (req, res) => { Topics.reply = async (req, res) => { const id = await lockPosting(req, '[[error:already-posting]]'); try { +<<<<<<< Updated upstream +======= + console.log("Anonymous flag received in reply:", isAnonymous); + const isAnonymous = req.body.anon; + let replyData = { ...req.body, tid: req.params.tid }; + if (isAnonymous) { + console.log("Post is anonymous. Modifying the username and userslug."); + replyData.username = 'Anonymous User'; + replyData.userslug = null; + } else { + console.log("Post is not anonymous."); + } + console.log("Final reply data being sent:", replyData); +>>>>>>> Stashed changes const payload = await api.topics.reply(req, { ...req.body, tid: req.params.tid }); helpers.formatApiResponse(200, res, payload); } finally { From 67ced511baf57a41c2896d160e787ecabeb5ed1f Mon Sep 17 00:00:00 2001 From: David Ng Date: Tue, 24 Sep 2024 20:03:08 -0400 Subject: [PATCH 2/3] added sanitization feature --- src/controllers/write/topics.js | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/controllers/write/topics.js b/src/controllers/write/topics.js index f0a4bafa5f..31ade1084f 100644 --- a/src/controllers/write/topics.js +++ b/src/controllers/write/topics.js @@ -34,7 +34,10 @@ Topics.reply = async (req, res) => { const id = await lockPosting(req, '[[error:already-posting]]'); try { <<<<<<< Updated upstream +<<<<<<< Updated upstream +======= ======= +>>>>>>> Stashed changes console.log("Anonymous flag received in reply:", isAnonymous); const isAnonymous = req.body.anon; let replyData = { ...req.body, tid: req.params.tid }; From 4f5224c5ff2b7199b7c0ffb8cde8d91d570e0cc4 Mon Sep 17 00:00:00 2001 From: David Ng Date: Tue, 24 Sep 2024 20:05:44 -0400 Subject: [PATCH 3/3] added sanitization feature resolved conflicts --- src/controllers/write/topics.js | 12 +++++------- 1 file changed, 5 insertions(+), 7 deletions(-) diff --git a/src/controllers/write/topics.js b/src/controllers/write/topics.js index 31ade1084f..3f8e69688c 100644 --- a/src/controllers/write/topics.js +++ b/src/controllers/write/topics.js @@ -33,14 +33,13 @@ Topics.create = async (req, res) => { Topics.reply = async (req, res) => { const id = await lockPosting(req, '[[error:already-posting]]'); try { -<<<<<<< Updated upstream -<<<<<<< Updated upstream -======= -======= ->>>>>>> Stashed changes console.log("Anonymous flag received in reply:", isAnonymous); const isAnonymous = req.body.anon; let replyData = { ...req.body, tid: req.params.tid }; + + // Sanitize content to avoid XSS attacks + replyData.content = validator.escape(replyData.content); + if (isAnonymous) { console.log("Post is anonymous. Modifying the username and userslug."); replyData.username = 'Anonymous User'; @@ -49,12 +48,11 @@ Topics.reply = async (req, res) => { console.log("Post is not anonymous."); } console.log("Final reply data being sent:", replyData); ->>>>>>> Stashed changes const payload = await api.topics.reply(req, { ...req.body, tid: req.params.tid }); helpers.formatApiResponse(200, res, payload); } finally { await db.deleteObjectField('locks', id); - } + }gi }; async function lockPosting(req, error) {