diff --git a/CHANGELOG.md b/CHANGELOG.md index ab8e0a7..2819fd0 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,6 @@ +## [v3.7.1](https://github.com/i18next/i18next-http-middleware/compare/v3.7.0...v3.7.1) +- Just to be sure, sanitize the Content-Language response header. (Eventhough there is no known/reproducible vulnerability yet #80) + ## [v3.7.0](https://github.com/i18next/i18next-http-middleware/compare/v3.6.0...v3.7.0) - support i18next v24 diff --git a/lib/index.js b/lib/index.js index a03d9e2..5484098 100644 --- a/lib/index.js +++ b/lib/index.js @@ -55,7 +55,7 @@ export function handle (i18next, options = {}) { } if (lng && options.getHeader(res, 'Content-Language') !== lng) { - options.setHeader(res, 'Content-Language', lng) + options.setHeader(res, 'Content-Language', utils.escape(lng)) } req.languages = i18next.services.languageUtils.toResolveHierarchy(lng) @@ -73,7 +73,7 @@ export function handle (i18next, options = {}) { // set locale req.language = req.locale = req.lng = lng if (lng && options.getHeader(res, 'Content-Language') !== lng) { - options.setHeader(res, 'Content-Language', lng) + options.setHeader(res, 'Content-Language', utils.escape(lng)) } req.languages = i18next.services.languageUtils.toResolveHierarchy(lng) diff --git a/lib/utils.js b/lib/utils.js index ea11542..4ace137 100644 --- a/lib/utils.js +++ b/lib/utils.js @@ -58,3 +58,14 @@ export function removeLngFromUrl (url, lookupFromPathIndex) { return url } + +export function escape (str) { + return (str.replace(/&/g, '&') + .replace(/"/g, '"') + .replace(/'/g, ''') + .replace(//g, '>') + .replace(/\//g, '/') + .replace(/\\/g, '\') + .replace(/`/g, '`')) +}