Potential fix for code scanning alert no. 2: Reflected cross-site scripting

[KyFaSt]

Potential fix for https://github.com/github-samples/gitfolio/security/code-scanning/2

In general, to fix reflected XSS you must ensure any user-controlled data is contextually encoded before being inserted into an HTML response. For HTML body content (text between tags), HTML-escape characters like <, >, &, ", and ' so they are rendered as text instead of being interpreted as markup or script.

The best fix here, without changing existing functionality, is to HTML-escape message before interpolating it into the template. We can introduce a small helper function (in the same file) that replaces the dangerous characters with their HTML entity equivalents, then use that function when building html. This preserves the same API and behavior for normal input, but ensures that any HTML special characters in message are rendered safely. Concretely:

• Add a local escapeHtml function near the top of pages/api/display-message.js.
• Change <div>${message}</div> to <div>${escapeHtml(message)}</div>.
  No new external dependencies are strictly required; we can implement a minimal, well-known HTML escaping routine inline.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[Copilot]

Pull request overview

This pull request fixes a reflected XSS vulnerability in the /api/display-message endpoint by implementing HTML escaping for user-controlled input.

Changes:

• Added an escapeHtml helper function that properly encodes HTML special characters (&, <, >, ", ')
• Applied the escaping function to the message query parameter before rendering it in the HTML response

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.