mirror of
https://github.com/elicpeter/nyx.git
synced 2026-06-09 19:45:13 +02:00
20 lines
654 B
JavaScript
20 lines
654 B
JavaScript
// Safe: user-supplied substring routed through the project-local
|
|
// `escapeXpath` helper before concatenation. The sanitizer clears the
|
|
// XPATH_INJECTION cap so the sink does not fire.
|
|
const xpath = require('xpath');
|
|
const { DOMParser } = require('xmldom');
|
|
|
|
function escapeXpath(raw) {
|
|
return raw.replace(/'/g, ''').replace(/"/g, '"');
|
|
}
|
|
|
|
function lookup(req, res) {
|
|
const doc = new DOMParser().parseFromString('<root/>');
|
|
const user = req.query.user;
|
|
const safe = escapeXpath(user);
|
|
const expr = "//user[name='" + safe + "']";
|
|
const nodes = xpath.select(expr, doc);
|
|
res.json(nodes);
|
|
}
|
|
|
|
module.exports = lookup;
|