diff options
| author | JoelHMikael <joel.h.kronqvist@gmail.com> | 2022-01-01 11:28:37 +0200 |
|---|---|---|
| committer | JoelHMikael <joel.h.kronqvist@gmail.com> | 2022-01-01 11:28:37 +0200 |
| commit | 2878bb666d1a2d1032683cd1783dbe6a9b505ba4 (patch) | |
| tree | c4554340bad263f334cdcb0ccafc37c68acfce6f | |
| parent | 7743b9ff7b9eb85ea9502e401529f10fed83a0f6 (diff) | |
| download | LYLLRuoka-2878bb666d1a2d1032683cd1783dbe6a9b505ba4.tar.gz LYLLRuoka-2878bb666d1a2d1032683cd1783dbe6a9b505ba4.zip | |
Clearer Anti-XSS
| -rw-r--r-- | parse.js | 4 | ||||
| -rw-r--r-- | server.js | 59 |
2 files changed, 50 insertions, 13 deletions
@@ -56,7 +56,9 @@ function findExpression(data, expr, start = 0) function parseCluttered(s) { - return s.replaceAll(".", "").replaceAll(" ", "").replaceAll("<", "(").replaceAll(">", ")").toUpperCase(); + if (!(typeof s === "string")) + return ""; + return s.replaceAll(".", "").replaceAll(" ", "").toUpperCase(); } function parseClasses(classData, DB) @@ -37,24 +37,40 @@ async function init() // server code async function server(req, res) { + // validate inputs let q = url.parse(req.url, true); - let path = "." + q.pathname; + let ind = q.query.index; + if (typeof ind === "string") + ind = validateIndex(q.query.index.substring(0, 20)); + else + ind = ""; + let d = q.query.day; + if (typeof d === "string") + d = antiXSS(d); + else + d = ""; + q.query = { + index: ind, + day: d + }; + let path = "." + antiXSS(q.pathname); if (path == "./") path = "./index.html"; + // pack the data required by the builders let data; const args = { "path": path, + "path404": errorPath, "query": q.query, "db": DB, "foods": foods }; - if (typeof build[path] === "function") - data = await build[path](args); - else - data = await build404(errorPath, q.pathname); - + // build the page + const buildFound = +(typeof build[path] === "function"); + res.writeHead([404, 200][buildFound]); + data = await [build404, build[path]][buildFound](args); res.write(data); res.end(); } @@ -64,6 +80,27 @@ async function init() } +function validateIndex(sus) +{ + return antiXSS(parse.cluttered(sus)); +} + +function antiXSS(sus) +{ + if (!(typeof sus === "string")) + return ""; + return replace(sus, ["<", ">", "(", ")"], ["<", ">", "(", ")"]); +} + +function replace(s, from, to) +{ + for (let i = 0; i < from.length; i++) + { + s = s.replaceAll(from[i], to[i]); + } + return s; +} + function openFile(path) { return new Promise((resolve, reject) => @@ -82,9 +119,7 @@ async function buildMain(args) const path = args["path"]; const query = args["query"]; const foods = args["foods"]; - let index; - if (typeof query.index === "string") - index = parse.cluttered(query.index); + const index = query.index; const DB = args["db"]; const data = await openFile(path); let data_string = data.toString("utf-8"); @@ -161,11 +196,11 @@ async function buildMain(args) return data_string; } -async function build404(path, attemptpath) +async function build404(args) { - const data = await openFile(path); + const data = await openFile(args["path404"]); const data_string = data.toString("utf-8"); - return data_string.replace("\\(path\\)", attemptpath); + return data_string.replace("\\(path\\)", args["path"]); } async function buildDefault(args) |