sanitizing correctly

9 files changed, 27 insertions, 27 deletions

diff --git a/public/assets/js/lib/views/details/details.js b/public/assets/js/lib/views/details/details.js
index 1b67b92..781d136 100644
--- a/public/assets/js/lib/views/details/details.js
+++ b/public/assets/js/lib/views/details/details.js
@@ -32,8 +32,8 @@ var DetailsView = View.extend({
     set_background_color(data.thread.color || (data.keyword ? data.keyword.color : 'plain'))
     $("body").removeClass('loading')
     var thread = data.thread
-    $("h1").html(sanitize(thread.title))
-    $("title").html(sanitize(thread.title))
+    $("h1").html(sanitizeEntities(thread.title))
+    $("title").html(sanitizeEntities(thread.title))
     $(".metadata").html(metadata(thread))
     $(".settings_link").attr("href", "/details/" + thread.id + "/settings")
     this.form.load(data.thread)
diff --git a/public/assets/js/lib/views/details/settings.js b/public/assets/js/lib/views/details/settings.js
index c8e53db..a7dd050 100644
--- a/public/assets/js/lib/views/details/settings.js
+++ b/public/assets/js/lib/views/details/settings.js
@@ -42,7 +42,7 @@ var ThreadSettingsForm = FormView.extend({
 
     this.$(".close_link").attr("href", "/details/" + thread.id)
     this.$(".metadata").html(metadata(thread))
-    this.$("[name=title]").val(sanitize(thread.title))
+    this.$("[name=title]").val(thread.title)
 
     this.$("[name=hootbox]").prop("checked", !!thread.settings.hootbox)
     this.$("[name=shorturls]").prop("checked", !!thread.settings.shorturls)
@@ -130,7 +130,7 @@ var ThreadSettingsForm = FormView.extend({
     var usernames = this.$('[name=allowed_field]').val().replace(/,/g, ' ').split(' ').map(s => s.trim()).filter(s => !! s)
     this.$('[name=allowed_field]').val('')
     usernames = usernames.filter( (name) => this.allowed.indexOf(name) === -1 )
-      .map( (name) => sanitize(name) )
+      .map( (name) => sanitizeHTML(name) )
     $.ajax({
       method: "PUT",
       url: "/api/checkUsernames",
@@ -216,7 +216,7 @@ var ThreadSettingsForm = FormView.extend({
     var id = data.thread.id
     var comment_count = (data.comments || []).length
     var file_count = (data.files || []).length
-    var msg = "Are you sure you want to delete this thread?\n\n#" + id + ' "' + sanitize(data.thread.title) + '"'
+    var msg = "Are you sure you want to delete this thread?\n\n#" + id + ' "' + sanitizeHTML(data.thread.title) + '"'
     msg += " + " + comment_count + " comment" + courtesy_s(comment_count)
     if ( file_count) msg += " + " + file_count + " file" + courtesy_s(file_count)
     var should_remove = confirm(msg)
@@ -244,7 +244,7 @@ var ThreadSettingsForm = FormView.extend({
     var data = this.options.parent.data
     var file = data.files.find(f => f.id === file_id)
     if (! file) return
-    var msg = "Are you sure you want to delete this file?\n\n#" + file_id + ' "' + sanitize(file.filename) + '"'
+    var msg = "Are you sure you want to delete this file?\n\n#" + file_id + ' "' + sanitizeHTML(file.filename) + '"'
     var should_remove = confirm(msg)
     if (should_remove) {
       $.ajax({
diff --git a/public/assets/js/lib/views/keywords/keywords.js b/public/assets/js/lib/views/keywords/keywords.js
index 9b2eadc..12bd5a8 100644
--- a/public/assets/js/lib/views/keywords/keywords.js
+++ b/public/assets/js/lib/views/keywords/keywords.js
@@ -47,7 +47,7 @@ var KeywordsView = View.extend({
       var age = get_age(thread.lastmodified)
       var id = thread.id + get_revision(thread)
       var t = this.template
-        .replace(/{{keyword}}/g, sanitize(keyword.keyword))
+        .replace(/{{keyword}}/g, sanitizeHTML(keyword.keyword))
         .replace(/{{id}}/g, id)
         .replace(/{{username}}/g, keyword.username)
         .replace(/{{privacy_dot}}/g, dot)
diff --git a/public/assets/js/lib/views/mail/compose.js b/public/assets/js/lib/views/mail/compose.js
index 1da4ceb..f2592ea 100644
--- a/public/assets/js/lib/views/mail/compose.js
+++ b/public/assets/js/lib/views/mail/compose.js
@@ -26,12 +26,12 @@ var ComposeView = FormView.extend({
         console.log(tmpl)
         this.$("[name=username]").val(message.sender)
         this.$("[name=subject]").val(message.subject)
-        this.$("[name=body]").val(sanitize(tmpl + message.body))
+        this.$("[name=body]").val(tmpl + message.body)
         $("body").removeClass('loading')
       }.bind(this))
       return
     }
-    this.$("[name=username]").val(sanitize(username))
+    this.$("[name=username]").val(username)
     $("body").removeClass('loading')
   },
   
diff --git a/public/assets/js/lib/views/mail/mailbox.js b/public/assets/js/lib/views/mail/mailbox.js
index 9d988cb..c48d948 100644
--- a/public/assets/js/lib/views/mail/mailbox.js
+++ b/public/assets/js/lib/views/mail/mailbox.js
@@ -14,7 +14,7 @@ var MailboxView = View.extend({
   },
 
   load: function(name){
-    name = sanitize(name) || "inbox"
+    name = sanitizeHTML(name) || "inbox"
     $("h1").html(name)
     var query = window.location.search.substr(1)
     $.get(this.action + name, query, this.populate.bind(this))
diff --git a/public/assets/js/lib/views/mail/message.js b/public/assets/js/lib/views/mail/message.js
index b5258a5..6fa3d78 100644
--- a/public/assets/js/lib/views/mail/message.js
+++ b/public/assets/js/lib/views/mail/message.js
@@ -13,7 +13,7 @@ var MessageView = View.extend({
   },
 
   load: function(name){
-    name = sanitize(name) || "inbox"
+    name = sanitizeHTML(name) || "inbox"
     $.ajax({
       url: this.action + name,
       method: 'get',
diff --git a/public/assets/js/lib/views/profile/profile.js b/public/assets/js/lib/views/profile/profile.js
index 2254bd5..1064adb 100644
--- a/public/assets/js/lib/views/profile/profile.js
+++ b/public/assets/js/lib/views/profile/profile.js
@@ -18,7 +18,7 @@ var ProfileView = View.extend({
   populate: function(user){
     $("body").removeClass('loading')
     var $table = this.$("table")
-    var username = sanitize(user.username)
+    var username = sanitizeHTML(user.username)
     var is_own_profile = (username === auth.user.username)
     if (is_own_profile) {
       $(".edit_profile a").attr("href", "/profile/" + username + "/edit")
@@ -34,27 +34,27 @@ var ProfileView = View.extend({
     ].map(pair => {
       var key = pair[0], label = pair[1]
       if (! user[key]) return;
-      return [label, sanitize(user[key])]
+      return [label, sanitizeHTML(user[key])]
     })
 
     if (user.email) {
       fields.push([
         'Email',
-        '<a href="mailto:' + sanitize(user.email) + '">' + sanitize(user.email) + '</a>'
+        '<a href="mailto:' + sanitizeHTML(user.email) + '">' + sanitizeHTML(user.email) + '</a>'
       ])
     }
     if (user.twitter) {
       if (user.twitter.match(/^http/)) {
         var partz = user.twitter.split('/')
         if (partz.length > 2) {
-          var handle = sanitize(partz[3])
+          var handle = sanitizeHTML(partz[3])
           fields.push([
             'Twitter',
             '<a href="https://twitter.com/' + handle + '">@' + handle + '</a>'
           ])
         }
       } else {
-        var handle = sanitize(user.twitter)
+        var handle = sanitizeHTML(user.twitter)
         fields.push([
           'Twitter',
           '<a href="https://twitter.com/' + handle + '">@' + handle + '</a>'
@@ -62,10 +62,10 @@ var ProfileView = View.extend({
       }
     }
     if (user.website) {
-      var website = sanitize(user.website)
+      var website = sanitizeHTML(user.website)
       fields.push([
         'Website',
-        '<a href="' + sanitize(website) + '">' + sanitize(website) + '</a>'
+        '<a href="' + sanitizeHTML(website) + '">' + sanitizeHTML(website) + '</a>'
       ])
     }
 
diff --git a/public/assets/js/lib/views/profile/profile_edit.js b/public/assets/js/lib/views/profile/profile_edit.js
index e50a7c0..d3656c4 100644
--- a/public/assets/js/lib/views/profile/profile_edit.js
+++ b/public/assets/js/lib/views/profile/profile_edit.js
@@ -18,12 +18,12 @@ var ProfileForm = FormView.extend({
   load: function(username){
     this.action = "/api/user/" + username;
     "realname location email phone website twitter".split(" ").forEach((field) => {
-      this.$('[name=' + field + ']').val( sanitize(auth.user[field]) )
+      this.$('[name=' + field + ']').val( auth.user[field] )
     })
     if (! auth.user.avatar) {
       $("#profile-avatar-embed").hide()
     } else {
-      $("#profile-avatar-embed").attr("src", sanitize(auth.user.avatar))
+      $("#profile-avatar-embed").attr("src", sanitizeHTML(auth.user.avatar))
     }
     $("body").removeClass('loading')
   },
diff --git a/public/assets/js/lib/views/search/results.js b/public/assets/js/lib/views/search/results.js
index 0f34845..8c793f1 100644
--- a/public/assets/js/lib/views/search/results.js
+++ b/public/assets/js/lib/views/search/results.js
@@ -21,11 +21,11 @@ var SearchResults = View.extend({
   },
 
   populate: function(res){
-    var query = sanitize(res.meta.query)
+    var query = sanitizeHTML(res.meta.query)
     var terms = res.meta.terms
     console.log(res)
-    $("title").html('bucky search "' + sanitize(query) + '"')
-    $("[name=query]").val(query)
+    $("title").html('bucky search "' + query + '"')
+    $("[name=query]").val(res.meta.query)
     this.$(".query").html(query)
     var total = parseInt(res.meta.total)
     this.$(".total").html(total + " result" + courtesy_s(total))
@@ -48,13 +48,13 @@ var SearchResults = View.extend({
         image = result.thread.flagged
       }
       var image_path = image ? '/data/' + result.thread.id + '/' + sanitize(image.filename) : ''
-      var file_tag = result.file ? '<a href="' + make_link(result.file) + '">' + bold_terms(sanitize(result.file.filename), terms) + '</a>' : ''
+      var file_tag = result.file ? '<a href="' + make_link(result.file) + '">' + bold_terms(result.file.filename, terms) + '</a>' : ''
       var t = this.template
-        .replace(/{{thread_id}}/g, sanitize("" + result.thread.id))
+        .replace(/{{thread_id}}/g, sanitizeHTML("" + result.thread.id))
         .replace(/{{meta}}/, metadata(result.thread))
         .replace(/{{image}}/, image_path)
-        .replace(/{{title}}/, bold_terms(sanitize(result.thread.title), terms))
-        .replace(/{{comment}}/, result.comment ? bold_terms(sanitize(result.comment.comment), terms) : '')
+        .replace(/{{title}}/, bold_terms(result.thread.title, terms))
+        .replace(/{{comment}}/, result.comment ? bold_terms(result.comment.comment, terms) : '')
         .replace(/{{file}}/, file_tag)
         .replace(/{{strength}}/, result.strength)
       this.$("#results").append(t)