Improved sanatization for server-side templating.

2025-11-04 06:09:26 -05:00 · 2025-11-04 06:09:26 -05:00 · 08fe051269
commit 08fe051269
parent 35fd81e1b2
30 changed files with 151 additions and 104 deletions
--- a/src/controllers/adminPanelController.js
+++ b/src/controllers/adminPanelController.js
@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //Config
 const config = require('../../config.json');

+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //Local Imports
 const {userModel} = require('../schemas/user/userSchema');
 const permissionModel = require('../schemas/permissionSchema');
@ -45,7 +48,8 @@ module.exports.get = async function(req, res){
            chanGuide: chanGuide,
            userList: userList,
            permList: permList,
-            csrfToken: csrfUtils.generateToken(req)
+            csrfToken: csrfUtils.generateToken(req),
+            unescape: validator.unescape
        });

    }catch(err){
--- a/src/controllers/channelSettingsController.js
+++ b/src/controllers/channelSettingsController.js
@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //Config
 const config = require('../../config.json');

+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const channelModel = require('../schemas/channel/channelSchema');
 const permissionModel = require('../schemas/permissionSchema');
@ -39,7 +42,7 @@ module.exports.get = async function(req, res){
            throw loggerUtils.exceptionSmith("Channel not found.", "queue");
        }
        
-        return res.render('channelSettings', {instance: config.instanceName, user: req.session.user, channel: chanDB, reqRank, rankEnum: permissionModel.rankEnum, csrfToken: csrfUtils.generateToken(req)});
+        return res.render('channelSettings', {instance: config.instanceName, user: req.session.user, channel: chanDB, reqRank, rankEnum: permissionModel.rankEnum, csrfToken: csrfUtils.generateToken(req), unescape: validator.unescape});
    }catch(err){
        return exceptionHandler(res, err);
    }
--- a/src/controllers/indexController.js
+++ b/src/controllers/indexController.js
@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //Config
 const config = require('../../config.json');

+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const channelModel = require('../schemas/channel/channelSchema');
 const csrfUtils = require('../utils/csrfUtils');
@ -26,7 +29,7 @@ const {exceptionHandler, errorHandler} = require('../utils/loggerUtils');
 module.exports.get = async function(req, res){
    try{
        const chanGuide = await channelModel.getChannelList();
-        return res.render('index', {instance: config.instanceName, user: req.session.user, chanGuide: chanGuide, csrfToken: csrfUtils.generateToken(req)});
+        return res.render('index', {instance: config.instanceName, user: req.session.user, chanGuide: chanGuide, csrfToken: csrfUtils.generateToken(req), unescape: validator.unescape});
    }catch(err){
        return exceptionHandler(res, err);
    }
--- a/src/controllers/panel/profileController.js
+++ b/src/controllers/panel/profileController.js
@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //NPM Imports
 const {validationResult, matchedData} = require('express-validator');

+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const presenceUtils = require('../../utils/presenceUtils');
 const {userModel} = require('../../schemas/user/userSchema');
@ -34,7 +37,7 @@ module.exports.get = async function(req, res){
            //Pull presence (should be quick since everyone whos been on since last startup will be backed in RAM)
            const presence = await presenceUtils.getPresence(profile.user);

-            return res.render('partial/panels/profile', {profile, presence});
+            return res.render('partial/panels/profile', {profile, presence, unescape: validator.unescape});
        }else{
            res.status(400);
            return res.send({errors: validResult.array()})
--- a/src/controllers/profileController.js
+++ b/src/controllers/profileController.js
@ -20,6 +20,9 @@ const csrfUtils = require('../utils/csrfUtils');
 const presenceUtils = require('../utils/presenceUtils');
 const {exceptionHandler, errorHandler} = require('../utils/loggerUtils');

+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //Config
 const config = require('../../config.json');

@ -44,7 +47,8 @@ module.exports.get = async function(req, res){
                profile,
                selfProfile,
                presence,
-                csrfToken: csrfUtils.generateToken(req)
+                csrfToken: csrfUtils.generateToken(req),
+                unescape: validator.unescape
            });
        }else{
            res.render('profile', {
@ -53,7 +57,8 @@ module.exports.get = async function(req, res){
                profile: null,
                selfProfile: false,
                presence: null,
-                csrfToken: csrfUtils.generateToken(req)
+                csrfToken: csrfUtils.generateToken(req),
+                unescape: validator.unescape
            });
        }
    }catch(err){
--- a/src/controllers/tooltip/altListController.js
+++ b/src/controllers/tooltip/altListController.js
@ -16,6 +16,7 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/

 //NPM Imports
 const {validationResult, matchedData} = require('express-validator');
+const validator = require('validator');//Because sometimes one isn't enough...

 //local imports
 const {userModel} = require('../../schemas/user/userSchema');
@ -34,7 +35,7 @@ module.exports.get = async function(req, res){
                return errorHandler(res, 'Cannot get alts for non-existant user!');
            }

-            return res.render('partial/tooltip/altList', {alts: await userDB.getAltProfiles()});
+            return res.render('partial/tooltip/altList', {alts: await userDB.getAltProfiles(), unescape: validator.unescape});
        }else{
            res.status(400);
            return res.send({errors: validResult.array()})
--- a/src/controllers/tooltip/profileController.js
+++ b/src/controllers/tooltip/profileController.js
@ -17,6 +17,9 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.*/
 //NPM Imports
 const {validationResult, matchedData} = require('express-validator');

+//NPM Imports
+const validator = require('validator');//No express here, so regular validator it is!
+
 //local imports
 const {userModel} = require('../../schemas/user/userSchema');
 const {exceptionHandler, errorHandler} = require('../../utils/loggerUtils');
@ -30,10 +33,10 @@ module.exports.get = async function(req, res){
            const data = matchedData(req);
            const profile = await userModel.findProfile({user: data.user});

-            return res.render('partial/tooltip/profile', {profile});
+            return res.render('partial/tooltip/profile', {profile, unescape: validator.unescape});
        }else{
            res.status(400);
-            return res.send({errors: validResult.array()})
+            return res.send({errors: validResult.array()});
        }

    }catch(err){