From: xangelo <me@xangelo.ca>
Date: Fri, 25 Aug 2023 16:05:16 +0000 (-0400)
Subject: chore(release): 0.2.17
X-Git-Tag: v0.2.17
X-Git-Url: https://git.xangelo.ca/?p=risinglegends.git;a=commitdiff_plain;h=v0.2.17;hp=v0.2.16;ds=sidebyside

chore(release): 0.2.17
---

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 764c882..a627b74 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,6 +2,13 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+### [0.2.17](https://git.xangelo.ca/?p=risinglegends.git;a=commitdiff;h=v0.2.17;hp=v0.2.16;ds=sidebyside) (2023-08-25)
+
+
+### Bug Fixes
+
+* xss username on signup a827642
+
 ### [0.2.16](https://git.xangelo.ca/?p=risinglegends.git;a=commitdiff;h=v0.2.16;hp=v0.2.15;ds=sidebyside) (2023-08-25)
 
 
diff --git a/package-lock.json b/package-lock.json
index acc76b8..2915698 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1,12 +1,12 @@
 {
   "name": "rising-legends",
-  "version": "0.2.16",
+  "version": "0.2.17",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "rising-legends",
-      "version": "0.2.16",
+      "version": "0.2.17",
       "dependencies": {
         "@honeycombio/opentelemetry-node": "^0.4.0",
         "@opentelemetry/auto-instrumentations-node": "^0.37.0",
diff --git a/package.json b/package.json
index e7d766b..8f5109f 100644
--- a/package.json
+++ b/package.json
@@ -1,7 +1,7 @@
 {
   "name": "rising-legends",
   "private": true,
-  "version": "0.2.16",
+  "version": "0.2.17",
   "scripts": {
     "up": "npx prisma migrate dev --name \"init\"",
     "start": "pm2 start dist/server/api.js",
diff --git a/src/server/auth.ts b/src/server/auth.ts
index 3f4899b..456d293 100644
--- a/src/server/auth.ts
+++ b/src/server/auth.ts
@@ -1,4 +1,5 @@
 import { Player } from 'shared/player';
+import xss from 'xss';
 import bcrypt from 'bcrypt';
 import { loadPlayer } from './player';
 import { Auth } from '../shared/auth';
@@ -14,7 +15,7 @@ export async function signup(playerId: string, username: string, password: strin
   const hash = await bcrypt.hash(password, salt);
   const data: Auth = {
     id: playerId,
-    username,
+    username: xss(username, { whiteList: {} }),
     password: hash
   };
 
@@ -33,7 +34,7 @@ export async function signup(playerId: string, username: string, password: strin
     console.log(e);
     if(e?.code === '23505') {
       if(e?.constraint === 'auth_pkey') {
-        console.log(`Key ${playerId} was already claimed. ${username} tried claiming again..`);
+        console.log(`Key ${playerId} was already claimed. ${data.username} tried claiming again..`);
       }
       // someone already claimed this key
       throw new Error('Invalid account');