From 97355d29e08753d1cfe99b1281dbaa06f4e651b0 Mon Sep 17 00:00:00 2001
From: snoopysecurity <sams@snyk.io>
Date: Mon, 12 Oct 2020 00:25:42 +0100
Subject: [PATCH] fix: escape special characters before insertion to template

---
 src/server.js | 31 +++++++++++++++++++++++++------
 1 file changed, 25 insertions(+), 6 deletions(-)

diff --git a/src/server.js b/src/server.js
index 2485f49..4944708 100644
--- a/src/server.js
+++ b/src/server.js
@@ -19,6 +19,23 @@ app.use((req, res, next) => {
   next();
 });
 
+
+function htmlEscape(text) {
+  return text.replace(/&/g, '&amp;').
+  replace(/</g, '&lt;').
+  replace(/"/g, '&quot;').
+  replace(/'/g, '&#039;');
+}
+
+
+function sanitize(params) {
+  result = {}
+  for (let [key, value] of Object.entries(params)) {
+      result[key] = htmlEscape(value)
+  }
+  return result;
+}
+
 app.get("/health", (req, res) => res.sendStatus(200));
 
 const handler = (res, params) => {
@@ -40,12 +57,14 @@ const handler = (res, params) => {
 app.get("/", (req, res) => handler(res, req.query));
 app.post("/", (req, res) => handler(res, req.body));
 
-app.get("/dynamic", (req, res) =>
-  handler(res, { ...req.query, renderToHtml: true })
-);
+app.get("/dynamic", (req, res) => {
+  var sanitized = sanitize(req.query)
+  handler(res, { ...sanitized, renderToHtml: true })
+})
 
-app.post("/dynamic", (req, res) =>
-  handler(res, { ...req.body, renderToHtml: true })
-);
+app.post("/dynamic", (req, res) => {
+  var sanitized = sanitize(req.body)
+  handler(res, { ...sanitized, renderToHtml: true })
+})
 
 module.exports = http.createServer(app);