Merge pull request #10 from wallymathieu/flohdot_master

Add escaping for bad platform string.

Author: wallymathieu

lib/nuts.js

@@ -195,7 +195,7 @@ Nuts.prototype.onDownload = function(req, res, next) {
         }
 
         if (!asset) {
-          res.status(400).send("No download available for platform "+platform+" for version "+version.tag+" ("+(channel || "beta")+")");
+          res.status(400).send("No download available for platform "+_.escape(platform)+" for version "+version.tag+" ("+(channel || "beta")+")");
           return;
         }
 
@@ -215,7 +215,7 @@ Nuts.prototype.onUpdateRedirect = function(req, res, next) {
         if (!req.query.version) throw new Error('Requires "version" parameter');
         if (!req.query.platform) throw new Error('Requires "platform" parameter');
 
-        return res.redirect('/update/'+req.query.platform+'/'+req.query.version);
+        return res.redirect('/update/'+_.escape(req.query.platform)+'/'+_.escape(req.query.version));
     })
     .fail(next);
 };