X-Git-Url: https://git.auder.net/?a=blobdiff_plain;f=server%2Froutes%2Fusers.js;h=dfe2fa2ef0ca8f3f82b964ff8ebca4835d7a7f8a;hb=d639b82a84af667908ccdda522cb1f94fddf55e5;hp=d637e13c1f2e186be5df4060578f1b990fb5b619;hpb=80b38d463c0d5dacac93bc2aeb666bbb19781e1e;p=vchess.git diff --git a/server/routes/users.js b/server/routes/users.js index d637e13c..dfe2fa2e 100644 --- a/server/routes/users.js +++ b/server/routes/users.js @@ -4,7 +4,16 @@ const sendEmail = require('../utils/mailer'); const genToken = require("../utils/tokenGenerator"); const access = require("../utils/access"); const params = require("../config/parameters"); -const sanitizeHtml = require('sanitize-html'); +const sanitizeHtml_pkg = require('sanitize-html'); + +const allowedTags = [ + 'h3', 'h4', 'h5', 'h6', 'blockquote', 'p', 'a', 'ul', 'ol', 'li', 'b', + 'i', 'strong', 'em', 'strike', 'code', 'hr', 'br', 'div', 'table', + 'thead', 'caption', 'tbody', 'tr', 'th', 'td', 'pre' +]; +function sanitizeHtml(text) { + return sanitizeHtml_pkg(text, { allowedTags: allowedTags }); +} router.get("/userbio", access.ajax, (req,res) => { const uid = req.query["id"]; @@ -25,19 +34,19 @@ router.post('/register', access.unlogged, access.ajax, (req,res) => { const name = req.body.name; const email = req.body.email; const notify = !!req.body.notify; - if (UserModel.checkNameEmail({name: name, email: email})) { + if (UserModel.checkNameEmail({ name: name, email: email })) { UserModel.create(name, email, notify, (err, ret) => { if (!!err) { const msg = err.code == "SQLITE_CONSTRAINT" ? "User name or email already in use" : "User creation failed. Try again"; - res.json({errmsg: msg}); + res.json({ errmsg: msg }); } else { const user = { id: ret.id, name: name, - email: email, + email: email }; setAndSendLoginToken("Welcome to " + params.siteURL, user, res); res.json({}); @@ -74,9 +83,9 @@ router.get("/whoami", access.ajax, (req,res) => { router.get("/users", access.ajax, (req,res) => { const ids = req.query["ids"]; // NOTE: slightly too permissive RegExp - if (ids.match(/^([0-9]+,?)+$/)) { + if (!!ids && !!ids.match(/^([0-9]+,?)+$/)) { UserModel.getByIds(ids, (err, users) => { - res.json({ users:users }); + res.json({ users: users }); }); } }); @@ -84,7 +93,7 @@ router.get("/users", access.ajax, (req,res) => { router.put('/update', access.logged, access.ajax, (req,res) => { const name = req.body.name; const email = req.body.email; - if (UserModel.checkNameEmail({name: name, email: email})) { + if (UserModel.checkNameEmail({ name: name, email: email })) { const user = { id: req.userId, name: name, @@ -116,7 +125,7 @@ function setAndSendLoginToken(subject, to, res) { router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => { const nameOrEmail = decodeURIComponent(req.query.nameOrEmail); const type = (nameOrEmail.indexOf('@') >= 0 ? "email" : "name"); - if (UserModel.checkNameEmail({[type]: nameOrEmail})) { + if (UserModel.checkNameEmail({ [type]: nameOrEmail })) { UserModel.getOne(type, nameOrEmail, (err,user) => { access.checkRequest(res, err, user, "Unknown user", () => { setAndSendLoginToken("Token for " + params.siteURL, user, res); @@ -128,12 +137,12 @@ router.get('/sendtoken', access.unlogged, access.ajax, (req,res) => { router.get('/authenticate', access.unlogged, access.ajax, (req,res) => { if (!req.query.token.match(/^[a-z0-9]+$/)) - return res.json({errmsg: "Bad token"}); + return res.json({ errmsg: "Bad token" }); UserModel.getOne("loginToken", req.query.token, (err,user) => { access.checkRequest(res, err, user, "Invalid token", () => { // If token older than params.tokenExpire, do nothing if (Date.now() > user.loginTime + params.token.expire) - res.json({errmsg: "Token expired"}); + res.json({ errmsg: "Token expired" }); else { // Generate session token (if not exists) + destroy login token UserModel.trySetSessionToken(user.id, (token) => { @@ -146,7 +155,7 @@ router.get('/authenticate', access.unlogged, access.ajax, (req,res) => { id: user.id, name: user.name, email: user.email, - notify: user.notify, + notify: user.notify }); }); }