diff --git a/core/server/models/post.js b/core/server/models/post.js index 74a197c263..a25e1a4b97 100644 --- a/core/server/models/post.js +++ b/core/server/models/post.js @@ -51,7 +51,7 @@ Post = GhostBookshelf.Model.extend({ this.set('html', converter.makeHtml(this.get('markdown'))); - this.set('title', this.get('title').trim()); + this.set('title', this.escape('title').trim()); if (this.hasChanged('status') && this.get('status') === 'published') { if (!this.get('published_at')) { diff --git a/core/server/models/settings.js b/core/server/models/settings.js index 5faf9e301a..ba8d299aca 100644 --- a/core/server/models/settings.js +++ b/core/server/models/settings.js @@ -73,7 +73,19 @@ Settings = GhostBookshelf.Model.extend({ validation[validationName].apply(validation, validationOptions); }, this); } + }, + + + saving: function () { + + // All blog setting keys that need their values to be escaped. + if (this.get('type') === 'blog' && _.contains(['title', 'description', 'email'], this.get('key'))) { + this.set('value', this.escape('value')); + } + + return GhostBookshelf.Model.prototype.saving.apply(this, arguments); } + }, { read: function (_key) { // Allow for just passing the key instead of attributes diff --git a/core/server/models/user.js b/core/server/models/user.js index 894a3df261..2e41e10203 100644 --- a/core/server/models/user.js +++ b/core/server/models/user.js @@ -55,6 +55,13 @@ User = GhostBookshelf.Model.extend({ } }, + saving: function () { + + this.set('name', this.escape('name')); + + return GhostBookshelf.Model.prototype.saving.apply(this, arguments); + }, + posts: function () { return this.hasMany(Posts, 'created_by'); }, diff --git a/core/test/unit/api_posts_spec.js b/core/test/unit/api_posts_spec.js index 6731d9222b..48e3b56301 100644 --- a/core/test/unit/api_posts_spec.js +++ b/core/test/unit/api_posts_spec.js @@ -367,4 +367,16 @@ describe('Post Model', function () { done(); }).then(null, done); }); + + it('should escape the title', function (done) { + + new PostModel().fetch().then(function(model) { + return model.set({'title': ''}).save(); + }).then(function(saved) { + saved.get('title').should.eql('<script>alert("hello world")</script>'); + done(); + }).otherwise(done); + + }); + });