Sanitize product inputs

lib/common.js

@@ -8,6 +8,7 @@ const path = require('path');
 const glob = require('glob');
 const async = require('async');
 const nodemailer = require('nodemailer');
+const sanitizeHtml = require('sanitize-html');
 const escape = require('html-entities').AllHtmlEntities;
 let ObjectId = require('mongodb').ObjectID;
 
@@ -65,6 +66,10 @@ exports.checkLogin = (req, res, next) => {
     res.redirect('/admin/login');
 };
 
+exports.cleanHtml = (html) => {
+    return sanitizeHtml(html);
+};
+
 exports.mongoSanitize = (param) => {
     if(param instanceof Object){
         for(const key in param){

package.json

@@ -38,6 +38,7 @@
     "paypal-rest-sdk": "^1.6.9",
     "rand-token": "^0.4.0",
     "rimraf": "^2.6.2",
+    "sanitize-html": "^1.19.3",
     "sitemap": "^1.6.0",
     "strip-bom": "^3.0.0",
     "stripe": "^5.4.0",

routes/product.js

@@ -81,10 +81,10 @@ router.post('/admin/product/insert', common.restrict, common.checkAccess, (req,
         productPermalink: req.body.frmProductPermalink,
         productTitle: req.body.frmProductTitle,
         productPrice: req.body.frmProductPrice,
-        productDescription: req.body.frmProductDescription,
+        productDescription: common.cleanHtml(req.body.frmProductDescription),
         productPublished: req.body.frmProductPublished,
         productTags: req.body.frmProductTags,
-        productOptions: req.body.productOptJson,
+        productOptions: common.cleanHtml(req.body.productOptJson),
         productComment: common.checkboxBool(req.body.frmProductComment),
         productAddedDate: new Date()
     };
@@ -198,6 +198,7 @@ router.post('/admin/product/update', common.restrict, common.checkAccess, (req,
                 res.redirect('/admin/product/edit/' + req.body.frmProductId);
                 return;
             }
+
             if(count > 0 && req.body.frmProductPermalink !== ''){
                 // permalink exits
                 req.session.message = 'Permalink already exists. Pick a new one.';
@@ -218,15 +219,17 @@ router.post('/admin/product/update', common.restrict, common.checkAccess, (req,
                 common.getImages(req.body.frmProductId, req, res, (images) => {
                     let productDoc = {
                         productTitle: req.body.frmProductTitle,
-                        productDescription: req.body.frmProductDescription,
+                        productDescription: common.cleanHtml(req.body.frmProductDescription),
                         productPublished: req.body.frmProductPublished,
                         productPrice: req.body.frmProductPrice,
                         productPermalink: req.body.frmProductPermalink,
-                        productTags: req.body.frmProductTags,
-                        productOptions: req.body.productOptJson,
+                        productTags: common.cleanHtml(req.body.frmProductTags),
+                        productOptions: common.cleanHtml(req.body.productOptJson),
                         productComment: common.checkboxBool(req.body.frmProductComment)
                     };
 
+                    console.log('test', productDoc);
+
                     // if no featured image
                     if(!product.productImage){
                         if(images.length > 0){