chore: clean up params in svg query

2025-02-12 00:16:48 +02:00 · 2025-02-12 00:16:48 +02:00 · f62b8ba8e6
parent 65b0eca32e
commit f62b8ba8e6
3 changed files with 15 additions and 7 deletions
--- a/src/http/helpers/query.ts
+++ b/src/http/helpers/query.ts
@ -0,0 +1,6 @@
+/**
+ * Basic cleanup for parameters
+ */
+export function cleanupQueryValue(value: string | undefined) {
+	return value ? value.replace(/['"<>&]/g, '') : undefined;
+}
--- a/src/http/responses/css.ts
+++ b/src/http/responses/css.ts
@ -6,6 +6,7 @@ import { getStoredIconsData } from '../../data/icon-set/utils/get-icons.js';
 import { iconSets } from '../../data/icon-sets.js';
 import { paramToBoolean } from '../../misc/bool.js';
 import { errorText } from '../helpers/errors.js';
+import { cleanupQueryValue } from '../helpers/query.js';

 /**
 * Check selector for weird stuff
@ -57,7 +58,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest

 		// 'color': string
 		// Sets color for monotone images
-		const color = qOptions.color;
+		const color = cleanupQueryValue(qOptions.color);
 		if (typeof color === 'string' && stringToColor(color)) {
 			options.color = color;
 		}
@ -98,7 +99,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest
 		// 'commonSelector': string
 		// Common selector for all requested icons
 		// Alias: 'common'
-		const commonSelector = qOptions.commonSelector || q.common;
+		const commonSelector = cleanupQueryValue(qOptions.commonSelector || q.common);
 		if (checkSelector(commonSelector)) {
 			options.commonSelector = commonSelector;
 		}
@ -106,7 +107,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest
 		// 'iconSelector': string
 		// Icon selector
 		// Alias: 'selector'
-		const iconSelector = qOptions.iconSelector || q.selector;
+		const iconSelector = cleanupQueryValue(qOptions.iconSelector || q.selector);
 		if (checkSelector(iconSelector)) {
 			options.iconSelector = iconSelector;
 		}
@ -114,7 +115,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest
 		// 'overrideSelector': string
 		// Selector for rules in icon that override common rules
 		// Alias: 'override'
-		const overrideSelector = qOptions.overrideSelector || q.override;
+		const overrideSelector = cleanupQueryValue(qOptions.overrideSelector || q.override);
 		if (checkSelector(overrideSelector)) {
 			options.overrideSelector = overrideSelector;
 		}
--- a/src/http/responses/svg.ts
+++ b/src/http/responses/svg.ts
@ -8,6 +8,7 @@ import type { FastifyReply, FastifyRequest } from 'fastify';
 import { getStoredIconData } from '../../data/icon-set/utils/get-icon.js';
 import { iconSets } from '../../data/icon-sets.js';
 import { errorText } from '../helpers/errors.js';
+import { cleanupQueryValue } from '../helpers/query.js';

 /**
 * Generate SVG
@ -43,8 +44,8 @@ export function generateSVGResponse(prefix: string, name: string, query: Fastify
 		const customisations: IconifyIconCustomisations = {};

 		// Dimensions
-		customisations.width = q.width || defaultIconCustomisations.width;
-		customisations.height = q.height || defaultIconCustomisations.height;
+		customisations.width = cleanupQueryValue(q.width) || defaultIconCustomisations.width;
+		customisations.height = cleanupQueryValue(q.height) || defaultIconCustomisations.height;

 		// Rotation
 		customisations.rotate = q.rotate ? rotateFromString(q.rotate, 0) : 0;
@ -75,7 +76,7 @@ export function generateSVGResponse(prefix: string, name: string, query: Fastify
 		let html = iconToHTML(body, svg.attributes);

 		// Change color
-		const color = q.color;
+		const color = cleanupQueryValue(q.color);
 		if (color && html.indexOf('currentColor') !== -1 && color.indexOf('"') === -1) {
 			html = html.split('currentColor').join(color);
 		}