add some XSS / path traversal validation

server/api/controller/settings.js

@@ -9,6 +9,7 @@ const pkg = require('../../../package.json')
 const generateKeyPair = promisify(crypto.generateKeyPair)
 const log = require('../../log')
 const locales = require('../../../locales/index')
+const escape = require('lodash/escape')
 
 
 let defaultHostname
@@ -162,11 +163,12 @@ const settingsController = {
     await settingsController.set('smtp', smtp.smtp)
     const mail = require('../mail')
     try {
-      await mail._send(settingsController.settings.admin_email, 'test', null, 'en')
+      await mail._send(settingsController.settings.admin_email, 'test')
+
       return res.sendStatus(200)
     } catch (e) {
       console.error(e)
-      return res.status(400).send(String(e))
+      return res.status(400).send(escape(String(e)))
     }
   },
 

server/api/controller/setup.js

@@ -5,6 +5,7 @@ const db = require('../models/index.js')
 const config = require('../../config')
 const settingsController = require('./settings')
 const path = require('path')
+const escape = require('lodash/escape')
 
 const setupController = {
 
@@ -88,7 +89,7 @@ const setupController = {
 
       } catch (e) {
         log.error(String(e))
-        return res.status(400).send(String(e))
+        return res.status(400).send(escape(String(e)))
       }
     }