protect against xss in share link

vkarpov15 · Nov 13, 2023 · 9453ff6 · 9453ff6
1 parent 2f46ec0
commit 9453ff6
Show file tree

Hide file tree

Showing 3 changed files with 149 additions and 1,591 deletions.
diff --git a/netlify/functions/share.js b/netlify/functions/share.js
@@ -1,6 +1,7 @@
 'use strict';
 
 const fs = require('fs');
+const xss = require('xss');
 
 require.extensions['.html'] = function(module, filename) {
   module.exports = fs.readFileSync(filename, 'utf8');
@@ -39,25 +40,26 @@ exports.handler = async function share(event) {
   Scorecard(app);
   Share(app);
 
+  const name = xss(player.name);
+
   return {
     statusCode: 200,
     body: `<html>
     <head>
       <link rel="stylesheet" type="text/css" href="/style.css"/>
       <link rel="icon" type="image/png" href="/images/oso-golf-bear-no-bg.png">
       <meta property="og:image" content="https://oso-golf.netlify.app/images/social.png"/>
-      <meta property="og:title" content="${player.name}'s Oso Golf Scorecard"/>
+      <meta property="og:title" content="${name}'s Oso Golf Scorecard"/>
       <meta property="og:type" content="website"/>
       <meta property="og:url" content="https://oso-golf.netlify.app"/>
       <meta property="og:description" content="Oso Golf is a logic game, similar to “Regex Golf”, that is designed to teach you authorization principles by completing permissions with as few objects as possible."/>
       
-      <meta name="twitter:card" content="summary_large_image">
-      <meta name="twitter:image:alt" content="${player.name}'s Oso Golf Scorecard">
-      <meta name="twitter:title" content="${player.name}'s Oso Golf Scorecard">
+      <meta name="twitter:image:alt" content="${name}'s Oso Golf Scorecard">
+      <meta name="twitter:title" content="${name}'s Oso Golf Scorecard">
       <meta name="twitter:description" content="Oso Golf is a logic game, similar to “Regex Golf”, that is designed to teach you authorization principles by completing permissions with as few objects as possible.">
       <meta name="twitter:image" content="https://oso-golf.netlify.app/images/social.png">
 
-      <title>${player.name}'s Oso Golf Scorecard</title>
+      <title>${name}'s Oso Golf Scorecard</title>
     </head>
     <body>
       <div class="m-auto max-w-5xl px-2">