fix: template injection (#84)

fastify · Sep 13, 2024 · c522606 · c522606
1 parent 66d3006
commit c522606
Show file tree

Hide file tree

Showing 2 changed files with 3 additions and 4 deletions.
diff --git a/lib/send.js b/lib/send.js
@@ -594,8 +594,7 @@ function sendRedirect (path, options) {
   }
 
   const loc = encodeURI(collapseLeadingSlashes(options.path + '/'))
-  const doc = createHtmlDocument('Redirecting', 'Redirecting to <a href="' + escapeHtml(loc) + '">' +
-    escapeHtml(loc) + '</a>')
+  const doc = createHtmlDocument('Redirecting', 'Redirecting to ' + escapeHtml(loc))
 
   const headers = {}
   headers['Content-Type'] = 'text/html; charset=UTF-8'

diff --git a/test/send.2.test.js b/test/send.2.test.js
@@ -288,7 +288,7 @@ test('send(file)', function (t) {
         .get('/pets')
         .expect('Location', '/pets/')
         .expect('Content-Type', /html/)
-        .expect(301, />Redirecting to <a href="\/pets\/">\/pets\/<\/a></, err => t.error(err))
+        .expect(301, />Redirecting to \/pets\/</, err => t.error(err))
     })
 
     t.test('should respond with default Content-Security-Policy', function (t) {
@@ -323,7 +323,7 @@ test('send(file)', function (t) {
         .get('/snow')
         .expect('Location', '/snow%20%E2%98%83/')
         .expect('Content-Type', /html/)
-        .expect(301, />Redirecting to <a href="\/snow%20%E2%98%83\/">\/snow%20%E2%98%83\/<\/a></, err => t.error(err))
+        .expect(301, />Redirecting to \/snow%20%E2%98%83\/</, err => t.error(err))
     })
   })