From 0d9025574556d5691a033a7dc876151c03a6634e Mon Sep 17 00:00:00 2001 From: AJ ONeal Date: Wed, 8 Jul 2015 21:20:57 -0600 Subject: [PATCH] escape HTML on redirects --- lib/insecure-server.js | 8 +++++--- package.json | 2 +- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/lib/insecure-server.js b/lib/insecure-server.js index fbda75b..0b8e827 100644 --- a/lib/insecure-server.js +++ b/lib/insecure-server.js @@ -40,19 +40,21 @@ module.exports.create = function (securePort, insecurePort, redirects) { ); }); + var escapeHtml = require('escapeHtml'); var newLocation = 'https://' + host.replace(/:\d+/, ':' + securePort) + url ; + var safeLocation = escapeHtml(newLocation); var metaRedirect = '' + '\n' + '\n' + ' \n' - + ' \n' + + ' \n' + '\n' + '\n' + '

You requested an insecure resource. Please use this instead: \n' - + ' ' + newLocation + '

\n' + + ' ' + safeLocation + '

\n' + '\n' + '\n' ; @@ -72,7 +74,7 @@ module.exports.create = function (securePort, insecurePort, redirects) { // To minimize this, we give browser users a mostly optimal experience, // but people experimenting with the API get a message letting them know // that they're doing it wrong and thus forces them to ensure they encrypt. - res.setHeader('Content-Type', 'text/html'); + res.setHeader('Content-Type', 'text/html; charset=utf-8'); res.end(metaRedirect); } diff --git a/package.json b/package.json index dcee18e..13ef213 100644 --- a/package.json +++ b/package.json @@ -62,7 +62,7 @@ "ee-first": "^1.1.0", "errorhandler": "1.x", "es6-promise": "2.x", - "escape-html": "^1.0.1", + "escape-html": "^1.0.2", "escape-string-regexp": "1.x", "etag": "^1.5.1", "express": "4.x",