fix(static): prevent possible XSS by sanitizing output

trieloff · trieloff · commit 97d63875e7e2 · 2019-05-03T15:24:49.000Z
diff --git a/package.json b/package.json
@@ -66,6 +66,7 @@
     "progress": "2.0.1",
     "request": "2.87.0",
     "request-promise-native": "1.0.7",
+    "sanitizer": "^0.1.3",
     "semver": "^6.0.0",
     "shelljs": "0.8.2",
     "snyk": "1.159.0",
diff --git a/src/openwhisk/static.js b/src/openwhisk/static.js
@@ -18,6 +18,7 @@ const postcssurl = require('postcss-url');
 const parser = require('postcss-value-parser');
 const babel = require('@babel/core');
 const ohash = require('object-hash');
+const sanitizer = require('sanitizer');
 
 const { space } = postcss.list;
 const uri = require('uri-js');
@@ -46,7 +47,7 @@ function error(message, code = 500) {
       'X-Static': 'Raw/Static',
       'Cache-Control': 'max-age=300',
     },
-    body: `${message}`,
+    body: sanitizer.escape(message),
   };
 }
 
