diff --git a/package-lock.json b/package-lock.json index 0efd404d0e..d59d30e47c 100644 --- a/package-lock.json +++ b/package-lock.json @@ -78,15 +78,10 @@ } } }, - "@types/bluebird": { - "version": "3.5.18", - "resolved": "https://registry.npmjs.org/@types/bluebird/-/bluebird-3.5.18.tgz", - "integrity": "sha512-OTPWHmsyW18BhrnG5x8F7PzeZ2nFxmHGb42bZn79P9hl+GI5cMzyPgQTwNjbem0lJhoru/8vtjAFCUOu3+gE2w==" - }, "@types/body-parser": { - "version": "1.16.7", - "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.16.7.tgz", - "integrity": "sha512-Obn1/GG0sYsnlAlhhSR1hvYRGBpQT+fzSi2IlGN8emCE4iu6f6xIjaq499B1sa7N9iBLzxyOUBo5bzgJd16BvA==", + "version": "1.16.8", + "resolved": "https://registry.npmjs.org/@types/body-parser/-/body-parser-1.16.8.tgz", + "integrity": "sha512-BdN2PXxOFnTXFcyONPW6t0fHjz2fvRZHVMFpaS0wYr+Y8fWEaNOs4V8LEu/fpzQlMx+ahdndgTaGTwPC+J/EeA==", "requires": { "@types/express": "4.0.39", "@types/node": "8.0.47" @@ -97,15 +92,15 @@ "resolved": "https://registry.npmjs.org/@types/express/-/express-4.0.39.tgz", "integrity": "sha512-dBUam7jEjyuEofigUXCtublUHknRZvcRgITlGsTbFgPvnTwtQUt2NgLakbsf+PsGo/Nupqr3IXCYsOpBpofyrA==", "requires": { - "@types/body-parser": "1.16.7", - "@types/express-serve-static-core": "4.0.56", - "@types/serve-static": "1.13.0" + "@types/body-parser": "1.16.8", + "@types/express-serve-static-core": "4.11.0", + "@types/serve-static": "1.13.1" } }, "@types/express-serve-static-core": { - "version": "4.0.56", - "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.0.56.tgz", - "integrity": "sha512-/0nwIzF1Bd4KGwW4lhDZYi5StmCZG1DIXXMfQ/zjORzlm4+F1eRA4c6yJQrt4hqX//TDtPULpSlYwmSNyCMeMg==", + "version": "4.11.0", + "resolved": "https://registry.npmjs.org/@types/express-serve-static-core/-/express-serve-static-core-4.11.0.tgz", + "integrity": "sha512-hOi1QNb+4G+UjDt6CEJ6MjXHy+XceY7AxIa28U9HgJ80C+3gIbj7h5dJNxOI7PU3DO1LIhGP5Bs47Dbf5l8+MA==", "requires": { "@types/node": "8.0.47" } @@ -121,11 +116,11 @@ "integrity": "sha512-kOwL746WVvt/9Phf6/JgX/bsGQvbrK5iUgzyfwZNcKVFcjAUVSpF9HxevLTld2SG9aywYHOILj38arDdY1r/iQ==" }, "@types/serve-static": { - "version": "1.13.0", - "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.13.0.tgz", - "integrity": "sha512-wvQkePwCDZoyQPGb64DTl2TEeLw54CQFXjY+tznxYYxNcBb4LG40ezoVbMDa0epwE4yogB0f42jCaH0356x5Mg==", + "version": "1.13.1", + "resolved": "https://registry.npmjs.org/@types/serve-static/-/serve-static-1.13.1.tgz", + "integrity": "sha512-jDMH+3BQPtvqZVIcsH700Dfi8Q3MIcEx16g/VdxjoqiGR/NntekB10xdBpirMKnPe9z2C5cBmL0vte0YttOr3Q==", "requires": { - "@types/express-serve-static-core": "4.0.56", + "@types/express-serve-static-core": "4.11.0", "@types/mime": "2.0.0" } }, @@ -5207,22 +5202,13 @@ } }, "express-validator": { - "version": "3.2.1", - "resolved": "https://registry.npmjs.org/express-validator/-/express-validator-3.2.1.tgz", - "integrity": "sha1-RWA+fu5pMYXCGY+969QUkl/9NSQ=", + "version": "4.3.0", + "resolved": "https://registry.npmjs.org/express-validator/-/express-validator-4.3.0.tgz", + "integrity": "sha512-EYU+JJ2EoLpcw+GKwbB1K8UGb/w1A70Wf3gD/zE9QScQxeSt8qad93lxGtsLwZFoiYM0EByVoSzHJnskp+eVHQ==", "requires": { - "@types/bluebird": "3.5.18", "@types/express": "4.0.39", - "bluebird": "3.5.1", "lodash": "4.17.4", - "validator": "6.2.1" - }, - "dependencies": { - "validator": { - "version": "6.2.1", - "resolved": "https://registry.npmjs.org/validator/-/validator-6.2.1.tgz", - "integrity": "sha1-vFdbeNFb6y4zimZbqVMMf0Ce9mc=" - } + "validator": "8.2.0" } }, "extend": { @@ -16959,9 +16945,9 @@ } }, "validator": { - "version": "6.3.0", - "resolved": "https://registry.npmjs.org/validator/-/validator-6.3.0.tgz", - "integrity": "sha1-R84j7Y1Ord+p1LjvAHG2zxB418g=" + "version": "8.2.0", + "resolved": "https://registry.npmjs.org/validator/-/validator-8.2.0.tgz", + "integrity": "sha512-Yw5wW34fSv5spzTXNkokD6S6/Oq92d8q/t14TqsS3fAiA1RYnxSFSIZ+CY3n6PGGRCq5HhJTSepQvFUS2QUDxA==" }, "value-equal": { "version": "0.4.0", diff --git a/package.json b/package.json index b54207848a..d2a2a1498f 100644 --- a/package.json +++ b/package.json @@ -64,7 +64,7 @@ "express-flash": "~0.0.2", "express-session": "^1.12.1", "express-state": "^1.2.0", - "express-validator": "^3.0.0", + "express-validator": "^4.3.0", "fetchr": "~0.5.12", "font-awesome": "^4.7.0", "frameguard": "^3.0.0", @@ -135,7 +135,7 @@ "snyk": "^1.30.1", "store": "git+https://github.com/berkeleytrue/store.js.git#feature/noop-server", "uuid": "^3.0.1", - "validator": "^6.0.0" + "validator": "^8.2.0" }, "devDependencies": { "adler32": "~0.1.7", diff --git a/server/middlewares/validator.js b/server/middlewares/validator.js index bca7b0f8f5..f3961bae55 100644 --- a/server/middlewares/validator.js +++ b/server/middlewares/validator.js @@ -30,25 +30,27 @@ export default function() { customSanitizers: { // Refer : http://stackoverflow.com/a/430240/1932901 trimTags(value) { - const tagBody = '(?:[^"\'>]|"[^"]*"|\'[^\']*\')*'; - const tagOrComment = new RegExp( - '<(?:' - // Comment body. - + '!--(?:(?:-*[^->])*--+|-?)' - // Special "raw text" elements whose content should be elided. - + '|script\\b' + tagBody + '>[\\s\\S]*?[\\s\\S]*?', - 'gi'); - let rawValue; - do { - rawValue = value; - value = value.replace(tagOrComment, ''); - } while (value !== rawValue); - return value.replace(/]|"[^"]*"|\'[^\']*\')*'; + const tagOrComment = new RegExp( + '<(?:' + // Comment body. + + '!--(?:(?:-*[^->])*--+|-?)' + // Special "raw text" elements whose content should be elided. + + '|script\\b' + tagBody + '>[\\s\\S]*?[\\s\\S]*?', + 'gi' + ); + let rawValue; + do { + rawValue = value; + value = value.replace(tagOrComment, ''); + } while (value !== rawValue); + + return value.replace(/