fix: escape error.message on login failure

jsjoeio · jsjoeio · commit 22a22a8f7a2f · 2021-07-01T10:43:37.000-07:00
diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts
@@ -41,7 +41,7 @@ const getRoot = async (req: Request, error?: Error): Promise<string> => {
     req,
     content
       .replace(/{{PASSWORD_MSG}}/g, passwordMsg)
-      .replace(/{{ERROR}}/, error ? `<div class="error">${error.message}</div>` : ""),
+      .replace(/{{ERROR}}/, error ? `<div class="error">${escapeHtml(error.message)}</div>` : ""),
   )
 }
 
@@ -112,8 +112,7 @@ router.post("/", async (req, res) => {
 
     throw new Error("Incorrect password")
   } catch (error) {
-    const html = await getRoot(req, error)
-    const escapedHtml = escapeHtml(html)
-    res.send(escapedHtml)
+    const htmlToRender = await getRoot(req, error)
+    res.send(htmlToRender)
   }
 })

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,7 @@ const getRoot = async (req: Request, error?: Error): Promise<string> => {`
`41`	`41`	`req,`
`42`	`42`	`content`
`43`	`43`	`.replace(/{{PASSWORD_MSG}}/g, passwordMsg)`
`44`		- .replace(/{{ERROR}}/, error ? `<div class="error">${error.message}</div>` : ""),
	`44`	+ .replace(/{{ERROR}}/, error ? `<div class="error">${escapeHtml(error.message)}</div>` : ""),
`45`	`45`	`)`
`46`	`46`	`}`
`47`	`47`
`@@ -112,8 +112,7 @@ router.post("/", async (req, res) => {`
`112`	`112`
`113`	`113`	`throw new Error("Incorrect password")`
`114`	`114`	`} catch (error) {`
`115`		`- const html = await getRoot(req, error)`
`116`		`- const escapedHtml = escapeHtml(html)`
`117`		`- res.send(escapedHtml)`
	`115`	`+ const htmlToRender = await getRoot(req, error)`
	`116`	`+ res.send(htmlToRender)`
`118`	`117`	`}`
`119`	`118`	`})`