Merge pull request #1 from tomer-mobb/Mobb-fix-a44386e2e7

tomer-mobb · web-flow · commit f58157e5fdae · 2024-11-19T00:54:52.000+07:00
XSS vulnerability fix (powered by Mobb)
diff --git a/insecure-js/package.json b/insecure-js/package.json
@@ -7,6 +7,7 @@
     "dom-iterator": "^1.0.0",
     "jquery": "2.1.0",
     "lodash": "4.16.1",
+    "lodash.escape": ">=4.0.1",
     "mysql2": "^2.3.3",
     "semver": "5.4.1",
     "sequelize": "4.44.1",
diff --git a/insecure-js/server.js b/insecure-js/server.js
@@ -1,3 +1,4 @@
+const escapeHtml = require('lodash.escape');
 const http = require('http');
 const _ = require('lodash');
 const qs = require('querystring');
@@ -60,7 +61,7 @@ const server = http.createServer((req, res) => {
           }
         } catch (error) {
           console.error("Raw SQL error:", error);
-          responseMessages.push(`<p>An error occurred: ${error.message}</p>`);
+          responseMessages.push(`<p>An error occurred: ${escapeHtml(error.message)}</p>`);
         }
       }
 

Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+const escapeHtml = require('lodash.escape');`
`1`	`2`	`const http = require('http');`
`2`	`3`	`const _ = require('lodash');`
`3`	`4`	`const qs = require('querystring');`
`@@ -60,7 +61,7 @@ const server = http.createServer((req, res) => {`
`60`	`61`	`}`
`61`	`62`	`} catch (error) {`
`62`	`63`	`console.error("Raw SQL error:", error);`
`63`		- responseMessages.push(`<p>An error occurred: ${error.message}</p>`);
	`64`	+ responseMessages.push(`<p>An error occurred: ${escapeHtml(error.message)}</p>`);
`64`	`65`	`}`
`65`	`66`	`}`
`66`	`67`