add some XSS / path traversal validation

2022-02-07 12:28:38 +01:00
parent 74c8cb555d
commit 592acbdb19
4 changed files with 13 additions and 7 deletions
--- a/server/api/controller/settings.js
+++ b/server/api/controller/settings.js
@@ -9,6 +9,7 @@ const pkg = require('../../../package.json')
 const generateKeyPair = promisify(crypto.generateKeyPair)
 const log = require('../../log')
 const locales = require('../../../locales/index')
+const escape = require('lodash/escape')


 let defaultHostname
@@ -162,11 +163,12 @@ const settingsController = {
    await settingsController.set('smtp', smtp.smtp)
    const mail = require('../mail')
    try {
-      await mail._send(settingsController.settings.admin_email, 'test', null, 'en')
+      await mail._send(settingsController.settings.admin_email, 'test')
+
      return res.sendStatus(200)
    } catch (e) {
      console.error(e)
-      return res.status(400).send(String(e))
+      return res.status(400).send(escape(String(e)))
    }
  },