CWE-79/CWE-116 advice for Cross Site Scripting.

Just in case
BarryCarlyon · Nov 16, 2020 · 926de5a · 926de5a
1 parent 335a8d0
commit 926de5a
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 2 deletions.
diff --git a/eventsub/handlers/nodejs/receive.js b/eventsub/handlers/nodejs/receive.js
@@ -77,7 +77,7 @@ app
             // it's a webhook
             if (req.body.hasOwnProperty('challenge') && req.headers['twitch-eventsub-message-type'] == 'webhook_callback_verification') {
                 console.log('Got a challenge, return the challenge');
-                res.send(req.body.challenge);
+                res.send(escape(req.body.challenge));
                 return;
             }
         }

diff --git a/webhooks/handlers/nodejs/receive.js b/webhooks/handlers/nodejs/receive.js
@@ -64,7 +64,7 @@ app
             console.log('Got a challenge', req.query['hub.challenge']);
             // it's a challenge from Twitch
             // lets acknowledge it
-            res.send(req.query['hub.challenge']);
+            res.send(escape(req.query['hub.challenge']));
         } else {
             console.log('Got a weird, no challenge');
             // normally won't get called