Added XXE,Jse

.gitignore

@@ -3,3 +3,4 @@ docs/_book
 npm-debug.log
 vars.env
 package-lock.json
+.dev/

core/appHandler.js

@@ -2,6 +2,8 @@ var db = require('../models')
 var bCrypt = require('bcrypt')
 const exec = require('child_process').exec;
 var mathjs = require('mathjs')
+var libxmljs = require("libxmljs");
+var serialize = require("node-serialize")
 const Op = db.Sequelize.Op
 
 module.exports.userSearch = function (req, res) {
@@ -209,3 +211,35 @@ module.exports.listUsersAPI = function (req, res) {
 		})
 	})
 }
+
+module.exports.bulkProducts =  function(req, res) {
+	// TODO: Deprecate this soon
+	if (req.query.legacy && req.files.products){
+		var products = serialize.unserialize(req.files.products.data.toString('utf8'))
+		console.log(products)
+		products.forEach( function (product) {
+			var newProduct = new db.Product()
+			newProduct.name = product.name
+			newProduct.code = product.code
+			newProduct.tags = product.tags
+			newProduct.description = product.description
+
+			newProduct.save()
+		})
+		res.redirect('/app/products')
+	}
+	else if (req.files.products && req.files.products.mimetype=='text/xml'){
+		var products = libxmljs.parseXmlString(req.files.products.data.toString('utf8'), {noent:true,noblanks:true})
+		products.root().childNodes().forEach( product => {
+			var newProduct = new db.Product()
+			newProduct.name = product.childNodes()[0].text()
+			newProduct.code = product.childNodes()[1].text()
+			newProduct.tags = product.childNodes()[2].text()
+			newProduct.description = product.childNodes()[3].text()
+			newProduct.save()
+		})
+		res.redirect('/app/products')
+	}else{
+		res.render('app/bulkproducts',{messages:{danger:'Invalid file'}})
+	}
+}

models/product.js

@@ -17,7 +17,7 @@ module.exports = function (sequelize, DataTypes) {
             allowNull: false
         },
         description: {
-            type: DataTypes.STRING,
+            type: DataTypes.TEXT,
             allowNull: false
         },
         tags: {

package.json

@@ -15,13 +15,16 @@
     "bcrypt": "^1.0.3",
     "ejs": "^2.5.7",
     "express": "^4.16.2",
+    "express-fileupload": "^0.4.0",
     "express-flash": "0.0.2",
     "express-session": "^1.15.6",
     "flash": "^1.1.0",
+    "libxmljs": "^0.19.1",
     "mathjs": "3.10.1",
     "md5": "^2.2.1",
     "morgan": "^1.9.0",
     "mysql2": "^1.4.2",
+    "node-serialize": "0.0.4",
     "passport": "^0.4.0",
     "passport-local": "^1.0.0",
     "sequelize": "^4.13.10"

routes/app.js

@@ -19,6 +19,10 @@ module.exports = function () {
         })
     })
 
+    router.get('/bulkproducts', authHandler.isAuthenticated, function (req, res) {
+        res.render('app/bulkproducts')
+    })
+
     router.get('/products', authHandler.isAuthenticated, appHandler.listProducts)
 
     router.get('/modifyproduct', authHandler.isAuthenticated, appHandler.modifyProduct)
@@ -55,5 +59,7 @@ module.exports = function () {
 
     router.post('/calc', authHandler.isAuthenticated, appHandler.calc)
 
+    router.post('/bulkproducts',authHandler.isAuthenticated, appHandler.bulkProducts);
+
     return router
 }

server.js

@@ -4,6 +4,7 @@ var passport = require('passport')
 var session = require('express-session')
 var ejs = require('ejs')
 var morgan = require('morgan')
+const fileUpload = require('express-fileupload');
 var config = require('./config/server')
 
 //Initialize Express
@@ -13,8 +14,9 @@ app.use(express.static('public'))
 app.set('view engine','ejs')
 app.use(morgan('tiny'))
 app.use(bodyParser.urlencoded({ extended: false }))
+app.use(fileUpload());
 
-// For Reverse proxy support
+// Enable for Reverse proxy support
 // app.set('trust proxy', 1) 
 
 // Intialize Session

views/app/bulkproducts.ejs

@@ -0,0 +1,79 @@
+<!DOCTYPE html>
+<html lang="en">
+<head>
+    <% include ../common/head %>
+</head>
+<body>
+    <% include ../common/navigation %>
+    <div class='container' style='min-height: 450px'><div class='row'><div class='col-md-12'>
+
+        <h2>
+            <i class='fa fa-upload'></i> Bulk Import Products
+        </h2>
+
+        <% if (messages.success) { %>
+            <div class="alert alert-success"><%=messages.success%></div>
+        <% } else if (messages.danger) { %>
+            <div class="alert alert-danger"><%= messages.danger %></div>
+        <% } else if (messages.warning) {%> 
+            <div class="alert alert-warning"><%= messages.warning %></div>
+        <% } else if (messages.info) {%> 
+            <div class="alert alert-info"><%= messages.info %></div>
+        <% } %>
+
+        <div>
+            <h3>Upload products</h3>
+            <form encType="multipart/form-data" method="post" action="/app/bulkproducts">
+                <div class="input-group mb-3">
+                    <div class="products-file">
+                        <input type="file" name="products" class="file-input" id="inputfile" accept=".xml">
+                        <br>
+                        <input class="button" type="submit" name="submit" value="Upload">
+                    </div>
+                </div>
+            </form>
+        </div>
+
+        <div><br>
+            <h3>Sample XML</h3>
+            <xmp>
+                <products>
+                    <product>
+                        <name>Xbox One</name>
+                        <code>23</code>
+                        <tags>gaming console</tags>
+                        <description>Gaming console by Microsoft</description>
+                    </product>
+                    <product>
+                        <name>Playstation 4</name>
+                        <code>26</code>
+                        <tags>gaming console</tags>
+                        <description>Gaming console by Sony</description>
+                    </product>
+                </products>
+            </xmp>
+            <xmp>
+                <products>
+                    <product>
+                        <name>Xbox One</name>
+                        <code>23</code>
+                        <tags>gaming console</tags>
+                        <description>Gaming console by Microsoft</description>
+                    </product>
+                    <product>
+                        <name>Playstation 4</name>
+                        <code>26</code>
+                        <tags>gaming console</tags>
+                        <description>Gaming console by Sony</description>
+                    </product>
+                </products>
+            </xmp>
+            <!-- For legacy endpoit /app/bulkproducts?legacy=true <xmp>[{"name":"Xbox 360","code":"15","tags":"gaming console","description":"Microsoft's flagship gaming console"},{"name":"Playstation 3","code":"17","tags":"gaming console","description":"Sony's flagshipgaming console"}]</xmp> -->
+        </div>
+
+
+
+        </div></div></div>
+    <% include ../common/footer %>
+</body>
+</html>

views/app/modifyproduct.ejs

@@ -10,6 +10,7 @@
     <h2>
         Add/Edit Product
         <span class='pull-right'>
+            <a href='/app/bulkproducts' class='btn btn-primary'>Bulk Import</a>
             <a href='/app/products' class='btn btn-primary'>List Products</a>
         </span>
     </h2>
@@ -52,7 +53,7 @@
                     <input type="text" name="tags" value="<%= output.product.tags %>" id="addEditProduct_product_tags" class="form-control" placeholder="Enter product tags eg. Tag1,Tag2,Tag3" />
                 </div>
             </div>
-
+            
             <div class="form-group ">
                 <label class="  control-label" for="addEditProduct_product_description">Product Description </label>
                 <div class="  controls">