From f62b8ba8e609076348d313185bb3e3acc3513a00 Mon Sep 17 00:00:00 2001 From: Vjacheslav Trushkin Date: Wed, 12 Feb 2025 00:16:48 +0200 Subject: [PATCH] chore: clean up params in svg query --- src/http/helpers/query.ts | 6 ++++++ src/http/responses/css.ts | 9 +++++---- src/http/responses/svg.ts | 7 ++++--- 3 files changed, 15 insertions(+), 7 deletions(-) create mode 100644 src/http/helpers/query.ts diff --git a/src/http/helpers/query.ts b/src/http/helpers/query.ts new file mode 100644 index 0000000..95d73ad --- /dev/null +++ b/src/http/helpers/query.ts @@ -0,0 +1,6 @@ +/** + * Basic cleanup for parameters + */ +export function cleanupQueryValue(value: string | undefined) { + return value ? value.replace(/['"<>&]/g, '') : undefined; +} diff --git a/src/http/responses/css.ts b/src/http/responses/css.ts index 46c6a84..e690cb7 100644 --- a/src/http/responses/css.ts +++ b/src/http/responses/css.ts @@ -6,6 +6,7 @@ import { getStoredIconsData } from '../../data/icon-set/utils/get-icons.js'; import { iconSets } from '../../data/icon-sets.js'; import { paramToBoolean } from '../../misc/bool.js'; import { errorText } from '../helpers/errors.js'; +import { cleanupQueryValue } from '../helpers/query.js'; /** * Check selector for weird stuff @@ -57,7 +58,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest // 'color': string // Sets color for monotone images - const color = qOptions.color; + const color = cleanupQueryValue(qOptions.color); if (typeof color === 'string' && stringToColor(color)) { options.color = color; } @@ -98,7 +99,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest // 'commonSelector': string // Common selector for all requested icons // Alias: 'common' - const commonSelector = qOptions.commonSelector || q.common; + const commonSelector = cleanupQueryValue(qOptions.commonSelector || q.common); if (checkSelector(commonSelector)) { options.commonSelector = commonSelector; } @@ -106,7 +107,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest // 'iconSelector': string // Icon selector // Alias: 'selector' - const iconSelector = qOptions.iconSelector || q.selector; + const iconSelector = cleanupQueryValue(qOptions.iconSelector || q.selector); if (checkSelector(iconSelector)) { options.iconSelector = iconSelector; } @@ -114,7 +115,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest // 'overrideSelector': string // Selector for rules in icon that override common rules // Alias: 'override' - const overrideSelector = qOptions.overrideSelector || q.override; + const overrideSelector = cleanupQueryValue(qOptions.overrideSelector || q.override); if (checkSelector(overrideSelector)) { options.overrideSelector = overrideSelector; } diff --git a/src/http/responses/svg.ts b/src/http/responses/svg.ts index 0a0fb40..4a3110c 100644 --- a/src/http/responses/svg.ts +++ b/src/http/responses/svg.ts @@ -8,6 +8,7 @@ import type { FastifyReply, FastifyRequest } from 'fastify'; import { getStoredIconData } from '../../data/icon-set/utils/get-icon.js'; import { iconSets } from '../../data/icon-sets.js'; import { errorText } from '../helpers/errors.js'; +import { cleanupQueryValue } from '../helpers/query.js'; /** * Generate SVG @@ -43,8 +44,8 @@ export function generateSVGResponse(prefix: string, name: string, query: Fastify const customisations: IconifyIconCustomisations = {}; // Dimensions - customisations.width = q.width || defaultIconCustomisations.width; - customisations.height = q.height || defaultIconCustomisations.height; + customisations.width = cleanupQueryValue(q.width) || defaultIconCustomisations.width; + customisations.height = cleanupQueryValue(q.height) || defaultIconCustomisations.height; // Rotation customisations.rotate = q.rotate ? rotateFromString(q.rotate, 0) : 0; @@ -75,7 +76,7 @@ export function generateSVGResponse(prefix: string, name: string, query: Fastify let html = iconToHTML(body, svg.attributes); // Change color - const color = q.color; + const color = cleanupQueryValue(q.color); if (color && html.indexOf('currentColor') !== -1 && color.indexOf('"') === -1) { html = html.split('currentColor').join(color); }