feat: add escapeHTML function

This can be used to escape any special characters in a string with HTML before
sending from the server back to the client. This is important to prevent a
cross-site scripting attack.

Author: jsjoeio

src/node/routes/login.ts

@@ -36,6 +36,10 @@ const getRoot = async (req: Request, error?: Error): Promise<string> => {
   } else if (req.args.usingEnvHashedPassword) {
     passwordMsg = "Password was set from $HASHED_PASSWORD."
   }
+
+  if (error) {
+    console.log("there is an error", error.message)
+  }
   return replaceTemplates(
     req,
     content

src/node/util.ts

@@ -509,3 +509,17 @@ export const isFile = async (path: string): Promise<boolean> => {
     return false
   }
 }
+
+/**
+ * Escapes any HTML string special characters, like &, <, >, ", and '.
+ *
+ * Source: https://stackoverflow.com/a/6234804/3015595
+ **/
+export function escapeHTML(unsafe: string): string {
+  return unsafe
+    .replace(/&/g, "&amp;")
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;")
+    .replace(/"/g, "&quot;")
+    .replace(/'/g, "&#039;")
+}

test/unit/node/util.test.ts

@@ -434,3 +434,11 @@ describe("onLine", () => {
     expect(await received).toEqual(expected)
   })
 })
+
+describe("escapeHTML", () => {
+  it("should escape HTML", () => {
+    expect(util.escapeHTML(`<div class="error">"Hello & world"</div>`)).toBe(
+      "&lt;div class=&quot;error&quot;&gt;&quot;Hello &amp; world&quot;&lt;/div&gt;",
+    )
+  })
+})

test/unit/routes/login.test.ts

@@ -1,3 +1,6 @@
+import * as httpserver from "../../utils/httpserver"
+import * as integration from "../../utils/integration"
+
 import { RateLimiter } from "../../../src/node/routes/login"
 
 describe("login", () => {
@@ -34,4 +37,43 @@ describe("login", () => {
       expect(limiter.removeToken()).toBe(false)
     })
   })
+  describe.only("/", () => {
+    let _codeServer: httpserver.HttpServer | undefined
+    function codeServer(): httpserver.HttpServer {
+      if (!_codeServer) {
+        throw new Error("tried to use code-server before setting it up")
+      }
+      return _codeServer
+    }
+
+    // Store whatever might be in here so we can restore it afterward.
+    // TODO: We should probably pass this as an argument somehow instead of
+    // manipulating the environment.
+    const previousEnvPassword = process.env.PASSWORD
+
+    beforeEach(async () => {
+      process.env.PASSWORD = "test"
+      _codeServer = await integration.setup(["--auth=password"], "")
+    })
+
+    afterEach(() => {
+      process.env.PASSWORD = previousEnvPassword
+    })
+
+    // TODO@jsjoeio fix this name of test
+    it("should return an error", async () => {
+      const resp = await codeServer().fetch("/", { method: "POST" })
+      // TODO@jsjoeio um not sure why we are getting a 404
+      expect(resp.status).toBe(404)
+
+      try {
+        const content = JSON.parse(await resp.text())
+
+        expect(content.error).toMatch("ENOENT")
+      } catch (error) {
+        console.log("heree")
+        console.error(error)
+      }
+    })
+  })
 })