Release version 0.1.3

remove accidental inclusion of , and add null char \x00

app/coffee/RequestParser.coffee

@@ -27,10 +27,12 @@ module.exports = RequestParser =
 			response.timeout = response.timeout * 1000 # milliseconds
 
 			response.resources = (@_parseResource(resource) for resource in (compile.resources or []))
-			response.rootResourcePath = @_parseAttribute "rootResourcePath",
+
+			rootResourcePath = @_parseAttribute "rootResourcePath",
 				compile.rootResourcePath
 				default: "main.tex"
 				type: "string"
+			response.rootResourcePath = RequestParser._sanitizePath(rootResourcePath)
 		catch error
 			return callback error
 
@@ -72,3 +74,6 @@ module.exports = RequestParser =
 			throw "Default not implemented"
 		return attribute
 
+	_sanitizePath: (path) ->
+		# See http://php.net/manual/en/function.escapeshellcmd.php
+		path.replace(/[\#\&\;\`\|\*\?\~\<\>\^\(\)\[\]\{\}\$\\\x0A\xFF\x00]/g, "")

package.json

@@ -1,7 +1,7 @@
 {
   "name": "node-clsi",
   "description": "A Node.js implementation of the CLSI LaTeX web-API",
-  "version": "0.1.2",
+  "version": "0.1.3",
   "repository": {
     "type": "git",
     "url": "https://github.com/sharelatex/clsi-sharelatex.git"

test/unit/coffee/RequestParserTests.coffee

@@ -204,6 +204,13 @@ describe "RequestParser", ->
 			@callback.calledWith("rootResourcePath attribute should be a string")
 				.should.equal true
 
-
+	describe "with a root resource path that needs escaping", ->
+		beforeEach ->
+			@validRequest.compile.rootResourcePath = "`rm -rf foo`.tex"
+			@RequestParser.parse @validRequest, @callback
+			@data = @callback.args[0][1]
+			
+		it "should return the escaped resource", ->
+			@data.rootResourcePath.should.equal "rm -rf foo.tex"