escape HTML on redirects

This commit is contained in:
AJ ONeal 2015-07-08 21:20:57 -06:00
parent e1e4d86941
commit 0d90255745
2 changed files with 6 additions and 4 deletions

View File

@ -40,19 +40,21 @@ module.exports.create = function (securePort, insecurePort, redirects) {
);
});
var escapeHtml = require('escapeHtml');
var newLocation = 'https://'
+ host.replace(/:\d+/, ':' + securePort) + url
;
var safeLocation = escapeHtml(newLocation);
var metaRedirect = ''
+ '<html>\n'
+ '<head>\n'
+ ' <style>* { background-color: white; color: white; text-decoration: none; }</style>\n'
+ ' <META http-equiv="refresh" content="0;URL=' + newLocation + '">\n'
+ ' <META http-equiv="refresh" content="0;URL=' + safeLocation + '">\n'
+ '</head>\n'
+ '<body style="display: none;">\n'
+ ' <p>You requested an insecure resource. Please use this instead: \n'
+ ' <a href="' + newLocation + '">' + newLocation + '</a></p>\n'
+ ' <a href="' + safeLocation + '">' + safeLocation + '</a></p>\n'
+ '</body>\n'
+ '</html>\n'
;
@ -72,7 +74,7 @@ module.exports.create = function (securePort, insecurePort, redirects) {
// To minimize this, we give browser users a mostly optimal experience,
// but people experimenting with the API get a message letting them know
// that they're doing it wrong and thus forces them to ensure they encrypt.
res.setHeader('Content-Type', 'text/html');
res.setHeader('Content-Type', 'text/html; charset=utf-8');
res.end(metaRedirect);
}

View File

@ -62,7 +62,7 @@
"ee-first": "^1.1.0",
"errorhandler": "1.x",
"es6-promise": "2.x",
"escape-html": "^1.0.1",
"escape-html": "^1.0.2",
"escape-string-regexp": "1.x",
"etag": "^1.5.1",
"express": "4.x",