fix: xss username on signup

diff --git a/src/server/auth.ts b/src/server/auth.ts
index 3f4899bad9decb1521c5ee4b31168b00927ad17e..456d2937a7f755c174411f3c5d709061705a0f9b 100644 (file)
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -1,4 +1,5 @@
 import { Player } from 'shared/player';
+import xss from 'xss';
 import bcrypt from 'bcrypt';
 import { loadPlayer } from './player';
 import { Auth } from '../shared/auth';
@@ -14,7 +15,7 @@ export async function signup(playerId: string, username: string, password: strin
   const hash = await bcrypt.hash(password, salt);
   const data: Auth = {
     id: playerId,
-    username,
+    username: xss(username, { whiteList: {} }),
     password: hash
   };
 
@@ -33,7 +34,7 @@ export async function signup(playerId: string, username: string, password: strin
     console.log(e);
     if(e?.code === '23505') {
       if(e?.constraint === 'auth_pkey') {
-        console.log(`Key ${playerId} was already claimed. ${username} tried claiming again..`);
+        console.log(`Key ${playerId} was already claimed. ${data.username} tried claiming again..`);
       }
       // someone already claimed this key
       throw new Error('Invalid account');