-
Notifications
You must be signed in to change notification settings - Fork 179
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. Weβll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: sanitize statusMessage
of disallowed chars
#357
Conversation
Codecov Report
@@ Coverage Diff @@
## main #357 +/- ##
==========================================
- Coverage 74.61% 74.25% -0.36%
==========================================
Files 25 25
Lines 2336 2362 +26
Branches 368 368
==========================================
+ Hits 1743 1754 +11
- Misses 593 608 +15
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
// Allowed characters: horizontal tabs, spaces or visible ascii characters: https://www.rfc-editor.org/rfc/rfc7230#section-3.1.2 | ||
event.node.res.statusMessage = text.replace( | ||
// eslint-disable-next-line no-control-regex | ||
/[^\u0009\u0020-\u007E]/g, |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just to mention for future we might extend the scaped for XSS as well (we had report of similar issues with ipx fixed by JSON.stringify and removing more chars)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks β€οΈ
π Linked issue
β Type of change
π Description
It will break the response if we set any of these characters by accident (e.g. if a user includes in an error message).
Related: nuxt/nuxt#14688
π Checklist