add xss packge and use node8

jackhutu · Jul 10, 2017 · 41ac6a9 · 41ac6a9
1 parent 0cba4cd
commit 41ac6a9
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 15 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,4 +1,4 @@
-FROM       jackhu/jenkins-deploy-nodejs:7
+FROM       jackhu/jenkins-deploy-nodejs:8
 MAINTAINER Jack Hu <[email protected]>
 
 EXPOSE  8800

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "jackblog-api-koa",
-  "version": "2.2.1",
+  "version": "2.3.0",
   "description": "jackblog API koa版",
   "main": "server/app.js",
   "scripts": {
@@ -73,7 +73,8 @@
     "passport-qq": "0.0.3",
     "passport-weibo": "^0.1.2",
     "qiniu": "6.1.13",
-    "trek-captcha": "^0.3.0"
+    "trek-captcha": "^0.3.0",
+    "xss": "^0.3.3"
   },
   "devDependencies": {
     "ava": "^0.20.0",

diff --git a/server/api/comment/comment.controller.js b/server/api/comment/comment.controller.js
@@ -1,14 +1,15 @@
 'use strict'
 
 const _ = require('lodash')
+const xss = require('xss')
 const mongoose = require('mongoose')
 const Comment = mongoose.model('Comment')
 const Blog = mongoose.model('Article')
 
 //添加新的评论.
 exports.addNewComment = async (ctx,next) => {
 	const aid = ctx.request.body.aid
-	const content = ctx.request.body.content
+	let content = ctx.request.body.content
 	const userId = ctx.req.user._id
 	let error_msg
 	if(!aid){
@@ -20,6 +21,8 @@ exports.addNewComment = async (ctx,next) => {
 		ctx.status = 422
 		return ctx.body = {error_msg:error_msg}
 	}
+	content = xss(content)
+
 	try{
 		let result = await Comment.create({ aid:aid,content:content,user_id:userId })
 		let comment = result.toObject()
@@ -41,13 +44,13 @@ exports.getFrontCommentList = async (ctx,next)=>{
 	const aid = ctx.params.id
 	try{
 		const commentList = await Comment.find({aid:aid,status:{$eq:1}})
-																.sort('created')
-																.populate({
-																	path: 'user_id',
-																	select: 'nickname avatar'
-																})
-																.exec()
-
+			.sort('created')
+			.populate({
+				path: 'user_id',
+				select: 'nickname avatar',
+				match: { nickname: { $exists: true } },
+			})
+			.exec()
 		ctx.status = 200
 		ctx.body = {data:commentList}
 	}catch(err){
@@ -61,6 +64,7 @@ exports.addNewReply = async (ctx,next)=>{
 		ctx.status = 422
 		return ctx.body = {error_msg:'回复内容不能为空'}
 	}
+	ctx.request.body.content = xss(ctx.request.body.content)
 	let reply = ctx.request.body
   reply.user_info = {
   	id:ctx.req.user._id,