Fix replace script tags in URL

Replace script tags in URL with fcc tags. This prevents some xss bugs blocking code from running in the iFrame.
2015-10-06 16:39:15 -07:00
parent e6afda62c7
commit 33e8f35bbf
3 changed files with 56 additions and 34 deletions
--- a/server/boot/user.js
+++ b/server/boot/user.js
@@ -11,6 +11,12 @@ const debug = debugFactory('freecc:boot:user');
 const daysBetween = 1.5;
 const sendNonUserToMap = ifNoUserRedirectTo('/map');

+function replaceScriptTags(value) {
+  return value
+    .replace(/<script>/gi, 'fccss')
+    .replace(/<\/script>/gi, 'fcces');
+}
+
 function calcCurrentStreak(cals) {
  const revCals = cals.concat([Date.now()]).slice().reverse();
  let streakBroken = false;
@@ -239,7 +245,9 @@ module.exports = function(app) {
          moment,

          longestStreak: profileUser.longestStreak,
-          currentStreak: profileUser.currentStreak
+          currentStreak: profileUser.currentStreak,
+
+          replaceScriptTags
        });
      }
    );