Sanitize inputs

TerryYeING · Nov 4, 2021 · fdc7645 · fdc7645
1 parent a14b716
commit fdc7645
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 26 deletions.
diff --git a/lib/common.js b/lib/common.js
@@ -7,6 +7,7 @@ const glob = require('glob');
 const async = require('async');
 const nodemailer = require('nodemailer');
 const sanitizeHtml = require('sanitize-html');
+const stripHtml = require('string-strip-html');
 const mkdirp = require('mkdirp');
 const ObjectId = require('mongodb').ObjectID;
 const countryList = require('countries-list');
@@ -37,8 +38,15 @@ const allowedMimeType = [
 const fileSizeLimit = 10485760;
 
 // common functions
-const cleanHtml = (html) => {
-    return sanitizeHtml(html);
+
+// Removes HTML from string
+const sanitize = (string) => {
+    return stripHtml(string);
+};
+
+// Ensures HTML is safe
+const cleanHtml = (string) => {
+    return sanitizeHtml(string);
 };
 
 const mongoSanitize = (param) => {
@@ -285,6 +293,7 @@ const cleanAmount = (amount) => {
 
 const clearCustomer = (req) => {
     // Clear our session
+    req.session.customerCompany = null;
     req.session.customerPresent = null;
     req.session.customerEmail = null;
     req.session.customerFirstname = null;
@@ -301,6 +310,7 @@ const clearCustomer = (req) => {
 module.exports = {
     allowedMimeType,
     fileSizeLimit,
+    sanitize,
     cleanHtml,
     mongoSanitize,
     safeParseInt,

diff --git a/routes/customer.js b/routes/customer.js
@@ -9,7 +9,8 @@ const {
     getCountryList,
     mongoSanitize,
     sendEmail,
-    clearCustomer
+    clearCustomer,
+    sanitize
 } = require('../lib/common');
 const rateLimit = require('express-rate-limit');
 const { indexCustomers } = require('../lib/indexing');
@@ -26,16 +27,16 @@ router.post('/customer/create', async (req, res) => {
     const db = req.app.db;
 
     const customerObj = {
-        email: req.body.email,
-        company: req.body.company,
-        firstName: req.body.firstName,
-        lastName: req.body.lastName,
-        address1: req.body.address1,
-        address2: req.body.address2,
-        country: req.body.country,
-        state: req.body.state,
-        postcode: req.body.postcode,
-        phone: req.body.phone,
+        email: sanitize(req.body.email),
+        company: sanitize(req.body.company),
+        firstName: sanitize(req.body.firstName),
+        lastName: sanitize(req.body.lastName),
+        address1: sanitize(req.body.address1),
+        address2: sanitize(req.body.address2),
+        country: sanitize(req.body.country),
+        state: sanitize(req.body.state),
+        postcode: sanitize(req.body.postcode),
+        phone: sanitize(req.body.phone),
         password: bcrypt.hashSync(req.body.password, 10),
         created: new Date()
     };

diff --git a/routes/order.js b/routes/order.js
@@ -5,7 +5,8 @@ const {
     getId,
     sendEmail,
     getEmailTemplate,
-    clearCustomer
+    clearCustomer,
+    sanitize
 } = require('../lib/common');
 const {
     paginateData
@@ -138,18 +139,18 @@ router.post('/admin/order/create', async (req, res, next) => {
         orderItemCount: req.session.totalCartItems,
         orderProductCount: req.session.totalCartProducts,
         orderCustomer: getId(req.session.customerId),
-        orderEmail: req.body.email || req.session.customerEmail,
-        orderCompany: req.body.company || req.session.customerCompany,
-        orderFirstname: req.body.firstName || req.session.customerFirstname,
-        orderLastname: req.body.lastName || req.session.customerLastname,
-        orderAddr1: req.body.address1 || req.session.customerAddress1,
-        orderAddr2: req.body.address2 || req.session.customerAddress2,
-        orderCountry: req.body.country || req.session.customerCountry,
-        orderState: req.body.state || req.session.customerState,
-        orderPostcode: req.body.postcode || req.session.customerPostcode,
-        orderPhoneNumber: req.body.phone || req.session.customerPhone,
-        orderComment: req.body.orderComment || req.session.orderComment,
-        orderStatus: req.body.orderStatus,
+        orderEmail: sanitize(req.body.email || req.session.customerEmail),
+        orderCompany: sanitize(req.body.company || req.session.customerCompany),
+        orderFirstname: sanitize(req.body.firstName || req.session.customerFirstname),
+        orderLastname: sanitize(req.body.lastName || req.session.customerLastname),
+        orderAddr1: sanitize(req.body.address1 || req.session.customerAddress1),
+        orderAddr2: sanitize(req.body.address2 || req.session.customerAddress2),
+        orderCountry: sanitize(req.body.country || req.session.customerCountry),
+        orderState: sanitize(req.body.state || req.session.customerState),
+        orderPostcode: sanitize(req.body.postcode || req.session.customerPostcode),
+        orderPhoneNumber: sanitize(req.body.phone || req.session.customerPhone),
+        orderComment: sanitize(req.body.orderComment || req.session.orderComment),
+        orderStatus: sanitize(req.body.orderStatus),
         orderDate: new Date(),
         orderProducts: req.session.cart,
         orderType: 'Single'