Skip to content

Commit b7c1518

Browse files
polonelpolonel
committed
fix(messages): xss security
1 parent 7099d08 commit b7c1518

File tree

2 files changed

+22
-10
lines changed

2 files changed

+22
-10
lines changed

src/helpers/utils/index.js

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -19,6 +19,7 @@ const piexifjs = require('piexifjs')
1919

2020
const MAX_FIELD_TEXT_LENGTH = 255
2121
const MAX_SHORT_FIELD_TEXT_LENGTH = 25
22+
const MAX_EXTREME_TEXT_LENGTH = 2000
2223

2324
module.exports.applyMaxTextLength = function (text) {
2425
return text.toString().substring(0, MAX_FIELD_TEXT_LENGTH)
@@ -28,6 +29,10 @@ module.exports.applyMaxShortTextLength = function (text) {
2829
return text.toString().substring(0, MAX_SHORT_FIELD_TEXT_LENGTH)
2930
}
3031

32+
module.exports.applyExtremeTextLength = function (text) {
33+
return text.toString().substring(0, MAX_EXTREME_TEXT_LENGTH)
34+
}
35+
3136
module.exports.sanitizeFieldPlainText = function (text) {
3237
return xss(text, {
3338
whileList: {},

src/models/chat/message.js

Lines changed: 17 additions & 10 deletions
Original file line numberDiff line numberDiff line change
@@ -12,12 +12,13 @@
1212
* Copyright (c) 2014-2019. All rights reserved.
1313
*/
1414

15-
var mongoose = require('mongoose')
16-
var _ = require('lodash')
15+
const mongoose = require('mongoose')
16+
const _ = require('lodash')
17+
const utils = require('../../helpers/utils')
1718

18-
var COLLECTION = 'messages'
19+
const COLLECTION = 'messages'
1920

20-
var messageSchema = mongoose.Schema(
21+
const messageSchema = mongoose.Schema(
2122
{
2223
conversation: {
2324
type: mongoose.Schema.Types.ObjectId,
@@ -35,6 +36,12 @@ var messageSchema = mongoose.Schema(
3536
{ timestamps: true }
3637
)
3738

39+
messageSchema.pre('save', function (next) {
40+
this.body = utils.sanitizeFieldPlainText(utils.applyExtremeTextLength(this.body))
41+
42+
next()
43+
})
44+
3845
messageSchema.statics.getFullConversation = function (convoId, callback) {
3946
return this.model(COLLECTION)
4047
.find({ conversation: convoId })
@@ -65,22 +72,22 @@ messageSchema.statics.getConversationWithObject = function (object, callback) {
6572
return callback('Invalid Object (Must by of type Object) - MessageSchema.GetUserWithObject()', null)
6673
}
6774

68-
var self = this
69-
var deletedAt = null
75+
const self = this
76+
let deletedAt = null
7077

71-
var limit = object.limit === null ? 25 : object.limit
72-
var page = object.page === null ? 0 : object.page
78+
const limit = object.limit === null ? 25 : object.limit
79+
const page = object.page === null ? 0 : object.page
7380

7481
if (object.requestingUser) {
75-
var userMetaIdx = _.findIndex(object.userMeta, function (item) {
82+
const userMetaIdx = _.findIndex(object.userMeta, function (item) {
7683
return item.userId.toString() === object.requestingUser._id.toString()
7784
})
7885
if (userMetaIdx !== -1 && object.userMeta[userMetaIdx].deletedAt) {
7986
deletedAt = new Date(object.userMeta[userMetaIdx].deletedAt)
8087
}
8188
}
8289

83-
var q = self
90+
const q = self
8491
.model(COLLECTION)
8592
.find({})
8693
.sort('-createdAt')

0 commit comments

Comments
 (0)