From 22a22a8f7a2f2d5fd74d5763d4a18875bcd13452 Mon Sep 17 00:00:00 2001
From: Joe Previte <jjprevite@gmail.com>
Date: Wed, 30 Jun 2021 09:53:04 -0700
Subject: [PATCH] fix: escape error.message on login failure

---
 src/node/routes/login.ts | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts
index 2b160f25..63991165 100644
--- a/src/node/routes/login.ts
+++ b/src/node/routes/login.ts
@@ -41,7 +41,7 @@ const getRoot = async (req: Request, error?: Error): Promise<string> => {
     req,
     content
       .replace(/{{PASSWORD_MSG}}/g, passwordMsg)
-      .replace(/{{ERROR}}/, error ? `<div class="error">${error.message}</div>` : ""),
+      .replace(/{{ERROR}}/, error ? `<div class="error">${escapeHtml(error.message)}</div>` : ""),
   )
 }
 
@@ -112,8 +112,7 @@ router.post("/", async (req, res) => {
 
     throw new Error("Incorrect password")
   } catch (error) {
-    const html = await getRoot(req, error)
-    const escapedHtml = escapeHtml(html)
-    res.send(escapedHtml)
+    const htmlToRender = await getRoot(req, error)
+    res.send(htmlToRender)
   }
 })