fix: CE-862: Fixed potential cross site scripting exploit (#497)

Co-authored-by: Mike Sears <[email protected]>
bcgov · Jul 4, 2024 · 3833459 · 3833459
1 parent c491eb2
commit 3833459
Show file tree

Hide file tree

Showing 3 changed files with 4 additions and 3 deletions.
diff --git a/backend/package-lock.json b/backend/package-lock.json
diff --git a/backend/package.json b/backend/package.json
@@ -64,6 +64,7 @@
     "date-fns": "^3.6.0",
     "date-fns-tz": "^3.1.3",
     "dotenv": "^16.0.1",
+    "escape-html": "^1.0.3",
     "form-data": "^4.0.0",
     "geojson": "^0.5.0",
     "jest-mock": "^29.6.1",

diff --git a/backend/src/v1/document/document.controller.ts b/backend/src/v1/document/document.controller.ts
@@ -8,6 +8,7 @@ import { Roles } from "../../auth/decorators/roles.decorator";
 import { Token } from "../../auth/decorators/token.decorator";
 import { COMPLAINT_TYPE } from "../../types/models/complaints/complaint-type";
 import { format } from "date-fns";
+import { escape } from "escape-html";
 
 @UseGuards(JwtRoleGuard)
 @ApiTags("document")
@@ -27,8 +28,6 @@ export class DocumentController {
     @Res() res: Response,
   ): Promise<void> {
     try {
-      this.logger.debug("TIMEZONE: ", tz);
-
       const fileName = `Complaint-${id}-${type}-${format(new Date(), "yyyy-MM-dd")}.pdf`;
       const response = await this.service.exportComplaint(id, type, fileName, tz);
 
@@ -47,7 +46,7 @@ export class DocumentController {
       res.end(buffer);
     } catch (error) {
       this.logger.error(`exception: unable to export document for complaint: ${id} - error: ${error}`);
-      res.status(500).send(`exception: unable to export document for complaint: ${id} - error: ${error}`);
+      res.status(500).send(`exception: unable to export document for complaint: ${escape(id)}`);
     }
   }
 }