fix: XSS via template injection v2.x (#85)

Signed-off-by: Matteo Collina <hello@matteocollina.com>
fastify · Sep 13, 2024 · 27d8179 · 27d8179
1 parent ca19a72
commit 27d8179
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 4 deletions.
diff --git a/lib/SendStream.js b/lib/SendStream.js
@@ -486,8 +486,7 @@ SendStream.prototype.redirect = function redirect (path) {
   }
 
   const loc = encodeURI(collapseLeadingSlashes(this.path + '/'))
-  const doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
-    escapeHtml(loc) + '</a>')
+  const doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
 
   // redirect
   res.statusCode = 301

diff --git a/test/SendStream-pipe.test.js b/test/SendStream-pipe.test.js
@@ -588,7 +588,7 @@ test('send(file).pipe(res)', function (t) {
         .get('/pets')
         .expect('Location', '/pets/')
         .expect('Content-Type', /html/)
-        .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, err => t.error(err))
+        .expect(301, />Redirecting to \/pets\/</, err => t.error(err))
     })
 
     t.test('should respond with default Content-Security-Policy', function (t) {
@@ -622,7 +622,7 @@ test('send(file).pipe(res)', function (t) {
         .get('/snow')
         .expect('Location', '/snow%20%E2%98%83/')
         .expect('Content-Type', /html/)
-        .expect(301, />Redirecting to <a href="\/snow%20%E2%98%83\/">\/snow%20%E2%98%83\/<\/a></, err => t.error(err))
+        .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, err => t.error(err))
     })
   })