From: xangelo Date: Fri, 25 Aug 2023 16:05:04 +0000 (-0400) Subject: fix: xss username on signup X-Git-Tag: v0.2.17~1 X-Git-Url: https://git.xangelo.ca/?a=commitdiff_plain;h=a827642416a0fa9aca73065db149da196f69e309;p=risinglegends.git fix: xss username on signup --- diff --git a/src/server/auth.ts b/src/server/auth.ts index 3f4899b..456d293 100644 --- a/src/server/auth.ts +++ b/src/server/auth.ts @@ -1,4 +1,5 @@ import { Player } from 'shared/player'; +import xss from 'xss'; import bcrypt from 'bcrypt'; import { loadPlayer } from './player'; import { Auth } from '../shared/auth'; @@ -14,7 +15,7 @@ export async function signup(playerId: string, username: string, password: strin const hash = await bcrypt.hash(password, salt); const data: Auth = { id: playerId, - username, + username: xss(username, { whiteList: {} }), password: hash }; @@ -33,7 +34,7 @@ export async function signup(playerId: string, username: string, password: strin console.log(e); if(e?.code === '23505') { if(e?.constraint === 'auth_pkey') { - console.log(`Key ${playerId} was already claimed. ${username} tried claiming again..`); + console.log(`Key ${playerId} was already claimed. ${data.username} tried claiming again..`); } // someone already claimed this key throw new Error('Invalid account');