Skip to content

Commit 6bb58e9

Browse files
dskamiotisdskamiotis
committed
add regex safe value for css xsite scripting
1 parent 3051ace commit 6bb58e9

File tree

1 file changed

+5
-1
lines changed

1 file changed

+5
-1
lines changed

dotcom-rendering/src/server/lib/add-queryparams-to-abtests.ts

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -9,11 +9,15 @@ export const addQueryParamsToABTests: Handler = async (req, res, next) => {
99

1010
const queryParamsAb = req.query;
1111

12+
const SAFE_KEY = /^[a-zA-Z0-9_-]{1,100}$/;
13+
const SAFE_VALUE = /^[a-zA-Z0-9_-]{1,40}$/;
14+
1215
const filteredQuery: Record<string, string> = {};
1316
for (const [key, value] of Object.entries(queryParamsAb)) {
1417
if (typeof value == 'string' && key.startsWith('ab-')) {
1518
const testId = key.replace(/^ab-/, '');
16-
filteredQuery[testId] = value;
19+
if (SAFE_VALUE.test(value) && SAFE_KEY.test(key))
20+
filteredQuery[testId] = value;
1721
}
1822
}
1923

0 commit comments

Comments
 (0)