From: xangelo <me@xangelo.ca>
Date: Fri, 25 Aug 2023 16:05:04 +0000 (-0400)
Subject: fix: xss username on signup
X-Git-Tag: v0.2.17~1
X-Git-Url: https://git.xangelo.ca/?a=commitdiff_plain;h=a827642416a0fa9aca73065db149da196f69e309;p=risinglegends.git

fix: xss username on signup
---

diff --git a/src/server/auth.ts b/src/server/auth.ts
index 3f4899b..456d293 100644
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -1,4 +1,5 @@
 import { Player } from 'shared/player';
+import xss from 'xss';
 import bcrypt from 'bcrypt';
 import { loadPlayer } from './player';
 import { Auth } from '../shared/auth';
@@ -14,7 +15,7 @@ export async function signup(playerId: string, username: string, password: strin
   const hash = await bcrypt.hash(password, salt);
   const data: Auth = {
     id: playerId,
-    username,
+    username: xss(username, { whiteList: {} }),
     password: hash
   };
 
@@ -33,7 +34,7 @@ export async function signup(playerId: string, username: string, password: strin
     console.log(e);
     if(e?.code === '23505') {
       if(e?.constraint === 'auth_pkey') {
-        console.log(`Key ${playerId} was already claimed. ${username} tried claiming again..`);
+        console.log(`Key ${playerId} was already claimed. ${data.username} tried claiming again..`);
       }
       // someone already claimed this key
       throw new Error('Invalid account');