From fde8b92476d6f968f3feb7f626547ca9441abf9c Mon Sep 17 00:00:00 2001 From: Jeremy Kauffman Date: Thu, 31 Oct 2019 17:34:19 -0400 Subject: [PATCH] fix metadata escaping --- src/platforms/web/server.js | 20 ++++++++++++++++---- 1 file changed, 16 insertions(+), 4 deletions(-) diff --git a/src/platforms/web/server.js b/src/platforms/web/server.js index c408af589..f8c26752b 100644 --- a/src/platforms/web/server.js +++ b/src/platforms/web/server.js @@ -57,6 +57,17 @@ function insertToHead(fullHtml, htmlToInsert) { return fullHtml.replace(/.*/s, htmlToInsert); } +function escapeHtmlProperty(property) { + return property + ? String(property) + .replace(/&/g, '&') + .replace(//g, '>') + .replace(/"/g, '"') + .replace(/'/g, ''') + : ''; +} + const defaultHead = 'lbry.tv\n' + `\n` + @@ -86,13 +97,13 @@ app.get('*', async (req, res) => { getClaim(claimName, claimId, channelName, channelClaimId, (err, rows) => { if (!err && rows && rows.length > 0) { const claim = rows[0]; - const title = claim.title ? claim.title : claimName; + const title = escapeHtmlProperty(claim.title ? claim.title : claimName); const claimDescription = claim.description && claim.description.length > 0 - ? truncateDescription(claim.description) + ? escapeHtmlProperty(truncateDescription(claim.description)) : `Watch ${title} on LBRY.tv`; - const claimLanguage = claim.language || 'en_US'; - const claimThumbnail = claim.thumbnail_url || `${DOMAIN}/og.png`; + const claimLanguage = escapeHtmlProperty(claim.language) || 'en_US'; + const claimThumbnail = escapeHtmlProperty(claim.thumbnail_url) || `${DOMAIN}/og.png`; const claimTitle = claim.channel && !isChannel ? `${title} from ${claim.channel} on LBRY.tv` : `${title} on LBRY.tv`; @@ -111,6 +122,7 @@ app.get('*', async (req, res) => { head += ``; head += ``; head += ``; + head += ``; // below should be canonical_url, but not provided by chainquery yet head += ``;