From a827642416a0fa9aca73065db149da196f69e309 Mon Sep 17 00:00:00 2001
From: xangelo <me@xangelo.ca>
Date: Fri, 25 Aug 2023 12:05:04 -0400
Subject: [PATCH] fix: xss username on signup

---
 src/server/auth.ts | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/src/server/auth.ts b/src/server/auth.ts
index 3f4899b..456d293 100644
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -1,4 +1,5 @@
 import { Player } from 'shared/player';
+import xss from 'xss';
 import bcrypt from 'bcrypt';
 import { loadPlayer } from './player';
 import { Auth } from '../shared/auth';
@@ -14,7 +15,7 @@ export async function signup(playerId: string, username: string, password: strin
   const hash = await bcrypt.hash(password, salt);
   const data: Auth = {
     id: playerId,
-    username,
+    username: xss(username, { whiteList: {} }),
     password: hash
   };
 
@@ -33,7 +34,7 @@ export async function signup(playerId: string, username: string, password: strin
     console.log(e);
     if(e?.code === '23505') {
       if(e?.constraint === 'auth_pkey') {
-        console.log(`Key ${playerId} was already claimed. ${username} tried claiming again..`);
+        console.log(`Key ${playerId} was already claimed. ${data.username} tried claiming again..`);
       }
       // someone already claimed this key
       throw new Error('Invalid account');
-- 
2.25.1