diff --git a/src/routes/util.js b/src/routes/util.js index 9cc3f3d..1d42175 100644 --- a/src/routes/util.js +++ b/src/routes/util.js @@ -38,7 +38,7 @@ router.get('/', function (req, res) { router.get('/profile-url', function (req, res) { res.render('util/profile-url', { meta: getMetaFromReq(req) }) }) -router.get('/profile-url/:input', +router.get('/profile-url/:input', escapedParam('input'), function (req, res) { res.render('util/profile-url', { input: req.params.input, meta: getMetaFromReq(req) }) diff --git a/src/server/utils.js b/src/server/utils.js index 0475f5d..894fa6d 100644 --- a/src/server/utils.js +++ b/src/server/utils.js @@ -156,17 +156,17 @@ export function generateProfileTheme (/** @type {Profile} */ profile) { const reEmailLike = /(<[^\s@<>]+@[^\s@<>]+>)/ -export function escapedParam(name) { +export function escapedParam (/** @type {String} */ name) { return param(name).customSanitizer(value => { return value.split(reEmailLike).map(token => { if (reEmailLike.test(token)) return token - return escape(token) + return escapeString(token) }).join('') }) } -// Copied from https://github.com/validatorjs/validator.js/blob/b958bd7d1026a434ad3bf90064d3dcb8b775f1a9/src/lib/escape.js -function escape(input) { +// Copied from https://github.com/validatorjs/validator.js/blob/b958bd7d1026a434ad3bf90064d3dcb8b775f1a9/src/lib/escapeString.js +function escapeString (/** @type {String} */ input) { return (input.replace(/&/g, '&') .replace(/"/g, '"') .replace(/'/g, ''')