Escape HTML in messages and usernames

The-Best-Codes · The-Best-Codes · commit ef6546c0e16b · 2024-11-23T19:52:39.000-06:00
diff --git a/index.ts b/index.ts
@@ -5,7 +5,7 @@ import {
   getRecentMessages,
   type User,
 } from "./src/db/database";
-import { LIMITS, validateInput } from "./src/constants";
+import { LIMITS, validateInput, escapeHtml } from "./src/constants";
 import crypto from "crypto";
 
 const port = process.env.PORT || 5177;
@@ -212,13 +212,15 @@ const server: any = Bun.serve({
               data.content,
               LIMITS.MESSAGE_MAX_LENGTH
             );
-            const msg = await createMessage(user.id, validatedContent);
+            // Escape HTML in the message
+            const safeContent = escapeHtml(validatedContent);
+            const msg = await createMessage(user.id, safeContent);
             server.publish(
               "chat",
               JSON.stringify({
                 type: "message",
                 username: user.username,
-                content: validatedContent,
+                content: safeContent,
                 timestamp: new Date().toISOString(),
               })
             );
diff --git a/src/constants.ts b/src/constants.ts
@@ -4,6 +4,15 @@ export const LIMITS = {
   MESSAGE_MAX_LENGTH: 2000,
 } as const;
 
+export function escapeHtml(unsafe: string): string {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;");
+}
+
 export function validateInput(input: string, maxLength: number): string {
   if (!input || typeof input !== "string") {
     throw new Error("Invalid input");
diff --git a/src/db/database.ts b/src/db/database.ts
@@ -1,6 +1,6 @@
 import { Database } from "bun:sqlite";
 import * as bcrypt from "bcryptjs";
-import { LIMITS, validateInput } from "../constants";
+import { LIMITS, validateInput, escapeHtml } from "../constants";
 
 const DB_PATH = process.env.DB_PATH || `${process.cwd()}/chat.db`;
 const SCHEMA_PATH =
@@ -40,6 +40,9 @@ export const createUser = async (
   username = validateInput(username, LIMITS.USERNAME_MAX_LENGTH);
   password = validateInput(password, LIMITS.PASSWORD_MAX_LENGTH);
 
+  // Escape HTML in username
+  username = escapeHtml(username);
+
   const hashedPassword = await bcrypt.hash(password, 10);
   try {
     const stmt = db.prepare(
