You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This was opened and closed before, but the vulnerability still exists. For anyone looking to fix it, the sanitize-html library seems like the simplest way to go.
Just run npm install sanitize-html --save and follow the guidelines below:
Update package.json to include "sanitize-html": "1.14.1"
Update the view.on('post') function in routes.views.link and routes.views.post like this:
const sanitizer = require('sanitize-html');
...
view.on('post', {action: 'create-comment'}, function (next) {
// Handle form
const newLinkComment = new LinkComment.model({link: locals.link.id, author: locals.user.id,});
const updater = newLinkComment.getUpdateHandler(req, res, {
errorMessage: 'There was an error creating your comment:',
});
const comment = sanitizer(req.body.content, {
allowedTags: [ 'b', 'i', 'em', 'strong', 'a' ],
allowedAttributes: { 'a': [ 'href' ], },
});
if (req.user.isVerified) {
if (comment.length) {
updater.process(req.body, {
flashErrors: true,
logErrors: true,
fields: 'content',
}, function (err) {
if (err) {
locals.validationErrors = err.errors;
} else {
req.flash('success', 'Your comment has been added successfully.');
return res.redirect('/links/link/' + locals.link.slug);
}
next();
});
} else {
if (req.body.content.length) {
req.flash('error', 'Either you entered a disallowed symbol or you were being shady...not cool, bro!');
} else {
req.flash('error', 'You cannot post a blank comment.');
}
return res.redirect('/links/link/' + locals.link.slug);
}
} else {
req.flash('error', 'You cannot comment until you confirm your registration.');
return res.redirect('/links/link/' + locals.link.slug);
}
});
Bear in mind that I have setup email validation and require it to comment which explains a couple extra lines of code. This also still allows URLs in the comments, so mind what your users are entering.
The text was updated successfully, but these errors were encountered:
This was opened and closed before, but the vulnerability still exists. For anyone looking to fix it, the
sanitize-htmllibrary seems like the simplest way to go.Just run
npm install sanitize-html --saveand follow the guidelines below:package.jsonto include"sanitize-html": "1.14.1"view.on('post')function inroutes.views.linkandroutes.views.postlike this:Bear in mind that I have setup email validation and require it to comment which explains a couple extra lines of code. This also still allows URLs in the comments, so mind what your users are entering.
The text was updated successfully, but these errors were encountered: