Skip to content

Commit

Permalink
Just to be sure, sanitize the Content-Language response header. (Even…
Browse files Browse the repository at this point in the history
…though there is no known/reproducible vulnerability yet #80)
  • Loading branch information
adrai committed Dec 24, 2024
1 parent 164ec71 commit 0640b52
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 2 deletions.
3 changes: 3 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
## [v3.7.1](https://github.com/i18next/i18next-http-middleware/compare/v3.7.0...v3.7.1)
- Just to be sure, sanitize the Content-Language response header. (Eventhough there is no known/reproducible vulnerability yet #80)

## [v3.7.0](https://github.com/i18next/i18next-http-middleware/compare/v3.6.0...v3.7.0)
- support i18next v24

Expand Down
4 changes: 2 additions & 2 deletions lib/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -55,7 +55,7 @@ export function handle (i18next, options = {}) {
}

if (lng && options.getHeader(res, 'Content-Language') !== lng) {
options.setHeader(res, 'Content-Language', lng)
options.setHeader(res, 'Content-Language', utils.escape(lng))
}

req.languages = i18next.services.languageUtils.toResolveHierarchy(lng)
Expand All @@ -73,7 +73,7 @@ export function handle (i18next, options = {}) {
// set locale
req.language = req.locale = req.lng = lng
if (lng && options.getHeader(res, 'Content-Language') !== lng) {
options.setHeader(res, 'Content-Language', lng)
options.setHeader(res, 'Content-Language', utils.escape(lng))
}
req.languages = i18next.services.languageUtils.toResolveHierarchy(lng)

Expand Down
11 changes: 11 additions & 0 deletions lib/utils.js
Original file line number Diff line number Diff line change
Expand Up @@ -58,3 +58,14 @@ export function removeLngFromUrl (url, lookupFromPathIndex) {

return url
}

export function escape (str) {
return (str.replace(/&/g, '&')
.replace(/"/g, '"')
.replace(/'/g, ''')
.replace(/</g, '&lt;')
.replace(/>/g, '&gt;')
.replace(/\//g, '&#x2F;')
.replace(/\\/g, '&#x5C;')
.replace(/`/g, '&#96;'))
}

0 comments on commit 0640b52

Please sign in to comment.