Merge pull request #539 from Martii/plugPotentialDDoS

Fix enforcing of `limit` QS fix for non-numerics in `limitRange`

Auto-merge

Author: Martii

libs/helpers.js

@@ -96,8 +96,11 @@ exports.cleanFilename = function (aFilename, aDefaultName) {
   return cleanName || aDefaultName;
 };
 
-exports.limitRange = function (aMin, aX, aMax) {
-  return Math.max(Math.min(aX, aMax), aMin);
+exports.limitRange = function (aMin, aX, aMax, aDefault) {
+  var x = Math.max(Math.min(aX, aMax), aMin);
+
+  // ES5 strict similar check to ES6 Number.isNaN()
+  return (x !== x ? aDefault : x);
 };
 
 exports.limitMin = function (aMin, aX) {

libs/templateHelpers.js

@@ -80,7 +80,9 @@ var newPagination = function (aCurrentPage, aItemsPerPage) {
 
   //
   pagination.currentPage = aCurrentPage ? helpers.limitMin(1, aCurrentPage) : 1;
-  pagination.itemsPerPage = aItemsPerPage ? helpers.limitRange(1, aItemsPerPage, maxItemsPerPage) : defaultItemsPerPage;
+  pagination.itemsPerPage = aItemsPerPage ?
+    helpers.limitRange(1, aItemsPerPage, maxItemsPerPage, defaultItemsPerPage) :
+    defaultItemsPerPage;
 
   return pagination;
 };