fix(http): escape req.query.to in replaceTemplates
This commit is contained in:
parent
2ba03c3424
commit
c0e123a801
@ -7,7 +7,7 @@ import { normalize, Options } from "../common/util"
|
|||||||
import { AuthType, DefaultedArgs } from "./cli"
|
import { AuthType, DefaultedArgs } from "./cli"
|
||||||
import { commit, rootPath } from "./constants"
|
import { commit, rootPath } from "./constants"
|
||||||
import { Heart } from "./heart"
|
import { Heart } from "./heart"
|
||||||
import { getPasswordMethod, IsCookieValidArgs, isCookieValid, sanitizeString } from "./util"
|
import { getPasswordMethod, IsCookieValidArgs, isCookieValid, sanitizeString, escapeHtml } from "./util"
|
||||||
|
|
||||||
declare global {
|
declare global {
|
||||||
// eslint-disable-next-line @typescript-eslint/no-namespace
|
// eslint-disable-next-line @typescript-eslint/no-namespace
|
||||||
@ -35,7 +35,7 @@ export const replaceTemplates = <T extends object>(
|
|||||||
...extraOpts,
|
...extraOpts,
|
||||||
}
|
}
|
||||||
return content
|
return content
|
||||||
.replace(/{{TO}}/g, (typeof req.query.to === "string" && req.query.to) || "/")
|
.replace(/{{TO}}/g, (typeof req.query.to === "string" && escapeHtml(req.query.to)) || "/")
|
||||||
.replace(/{{BASE}}/g, options.base)
|
.replace(/{{BASE}}/g, options.base)
|
||||||
.replace(/{{CS_STATIC_BASE}}/g, options.csStaticBase)
|
.replace(/{{CS_STATIC_BASE}}/g, options.csStaticBase)
|
||||||
.replace(/"{{OPTIONS}}"/, `'${JSON.stringify(options)}'`)
|
.replace(/"{{OPTIONS}}"/, `'${JSON.stringify(options)}'`)
|
||||||
|
@ -112,7 +112,7 @@ router.post("/", async (req, res) => {
|
|||||||
|
|
||||||
throw new Error("Incorrect password")
|
throw new Error("Incorrect password")
|
||||||
} catch (error) {
|
} catch (error) {
|
||||||
const htmlToRender = await getRoot(req, error)
|
const renderedHtml = await getRoot(req, error)
|
||||||
res.send(htmlToRender)
|
res.send(renderedHtml)
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
|
@ -1,8 +1,7 @@
|
|||||||
|
import { RateLimiter } from "../../../src/node/routes/login"
|
||||||
import * as httpserver from "../../utils/httpserver"
|
import * as httpserver from "../../utils/httpserver"
|
||||||
import * as integration from "../../utils/integration"
|
import * as integration from "../../utils/integration"
|
||||||
|
|
||||||
import { RateLimiter } from "../../../src/node/routes/login"
|
|
||||||
|
|
||||||
describe("login", () => {
|
describe("login", () => {
|
||||||
describe("RateLimiter", () => {
|
describe("RateLimiter", () => {
|
||||||
it("should allow one try ", () => {
|
it("should allow one try ", () => {
|
||||||
@ -56,8 +55,12 @@ describe("login", () => {
|
|||||||
_codeServer = await integration.setup(["--auth=password"], "")
|
_codeServer = await integration.setup(["--auth=password"], "")
|
||||||
})
|
})
|
||||||
|
|
||||||
afterEach(() => {
|
afterEach(async () => {
|
||||||
process.env.PASSWORD = previousEnvPassword
|
process.env.PASSWORD = previousEnvPassword
|
||||||
|
if (_codeServer) {
|
||||||
|
await _codeServer.close()
|
||||||
|
_codeServer = undefined
|
||||||
|
}
|
||||||
})
|
})
|
||||||
|
|
||||||
it("should return HTML with 'Missing password' message", async () => {
|
it("should return HTML with 'Missing password' message", async () => {
|
||||||
|
Loading…
Reference in New Issue
Block a user