Fix possible line-ending issues for init note

By uploading a malicous note currently it is possible to prevent this note from being edited. This happens when using Windows line endings. With this commit we remove all `\r` characters from the notes and this way prevent this problem. Signed-off-by: Sheogorath <sheogorath@shivering-isles.com>
author: Sheogorath 2018-06-24 00:32:41 +0200
committer: Sheogorath 2018-06-24 00:32:50 +0200
commit: b7b621822c518f659f775343332945bc545cb094 (patch)
tree: 79cde31f6348815538395fbdc057f1d65bdd434d /lib
parent: 7c7cc289f2c2b2e33a32ea32a6e97ea1410cc63e (diff)
1 files changed, 3 insertions, 1 deletions
diff --git a/lib/response.js b/lib/response.js
index 4cfa9a74..335f1000 100644
--- a/lib/response.js
+++ b/lib/response.js
@@ -145,6 +145,8 @@ function responseHackMD (res, note) {
 
 function newNote (req, res, next) {
   var owner = null
+  var body = req.body ? req.body : ''
+  body = body.replace(/[\r]/g, '')
   if (req.isAuthenticated()) {
     owner = req.user.id
   } else if (!config.allowAnonymous) {
@@ -153,7 +155,7 @@ function newNote (req, res, next) {
   models.Note.create({
     ownerId: owner,
     alias: req.alias ? req.alias : null,
-    content: req.body ? req.body : ''
+    content: body
   }).then(function (note) {
     return res.redirect(config.serverURL + '/' + models.Note.encodeNoteId(note.id))
   }).catch(function (err) {
author	Sheogorath	2018-06-24 00:32:41 +0200
committer	Sheogorath	2018-06-24 00:32:50 +0200
commit	b7b621822c518f659f775343332945bc545cb094 (patch)
tree	79cde31f6348815538395fbdc057f1d65bdd434d /lib
parent	7c7cc289f2c2b2e33a32ea32a6e97ea1410cc63e (diff)