From a827642416a0fa9aca73065db149da196f69e309 Mon Sep 17 00:00:00 2001 From: xangelo Date: Fri, 25 Aug 2023 12:05:04 -0400 Subject: [PATCH] fix: xss username on signup --- src/server/auth.ts | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/src/server/auth.ts b/src/server/auth.ts index 3f4899b..456d293 100644 --- a/src/server/auth.ts +++ b/src/server/auth.ts @@ -1,4 +1,5 @@ import { Player } from 'shared/player'; +import xss from 'xss'; import bcrypt from 'bcrypt'; import { loadPlayer } from './player'; import { Auth } from '../shared/auth'; @@ -14,7 +15,7 @@ export async function signup(playerId: string, username: string, password: strin const hash = await bcrypt.hash(password, salt); const data: Auth = { id: playerId, - username, + username: xss(username, { whiteList: {} }), password: hash }; @@ -33,7 +34,7 @@ export async function signup(playerId: string, username: string, password: strin console.log(e); if(e?.code === '23505') { if(e?.constraint === 'auth_pkey') { - console.log(`Key ${playerId} was already claimed. ${username} tried claiming again..`); + console.log(`Key ${playerId} was already claimed. ${data.username} tried claiming again..`); } // someone already claimed this key throw new Error('Invalid account'); -- 2.25.1