fix(http): escape req.query.to in replaceTemplates

2021-06-30 10:39:48 -07:00
parent 2ba03c3424
commit c0e123a801
3 changed files with 10 additions and 7 deletions
--- a/src/node/http.ts
+++ b/src/node/http.ts
@ -7,7 +7,7 @@ import { normalize, Options } from "../common/util"
 import { AuthType, DefaultedArgs } from "./cli"
 import { commit, rootPath } from "./constants"
 import { Heart } from "./heart"
-import { getPasswordMethod, IsCookieValidArgs, isCookieValid, sanitizeString } from "./util"
+import { getPasswordMethod, IsCookieValidArgs, isCookieValid, sanitizeString, escapeHtml } from "./util"

 declare global {
  // eslint-disable-next-line @typescript-eslint/no-namespace
@ -35,7 +35,7 @@ export const replaceTemplates = <T extends object>(
    ...extraOpts,
  }
  return content
-    .replace(/{{TO}}/g, (typeof req.query.to === "string" && req.query.to) || "/")
+    .replace(/{{TO}}/g, (typeof req.query.to === "string" && escapeHtml(req.query.to)) || "/")
    .replace(/{{BASE}}/g, options.base)
    .replace(/{{CS_STATIC_BASE}}/g, options.csStaticBase)
    .replace(/"{{OPTIONS}}"/, `'${JSON.stringify(options)}'`)
--- a/src/node/routes/login.ts
+++ b/src/node/routes/login.ts
@ -112,7 +112,7 @@ router.post("/", async (req, res) => {

    throw new Error("Incorrect password")
  } catch (error) {
-    const htmlToRender = await getRoot(req, error)
-    res.send(htmlToRender)
+    const renderedHtml = await getRoot(req, error)
+    res.send(renderedHtml)
  }
 })