chore: clean up params in svg query

iconify · Feb 11, 2025 · f62b8ba · f62b8ba
1 parent 65b0eca
commit f62b8ba
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 7 deletions.
diff --git a/src/http/helpers/query.ts b/src/http/helpers/query.ts
@@ -0,0 +1,6 @@
+/**
+ * Basic cleanup for parameters
+ */
+export function cleanupQueryValue(value: string | undefined) {
+	return value ? value.replace(/['"<>&]/g, '') : undefined;
+}
diff --git a/src/http/responses/css.ts b/src/http/responses/css.ts
@@ -6,6 +6,7 @@ import { getStoredIconsData } from '../../data/icon-set/utils/get-icons.js';
 import { iconSets } from '../../data/icon-sets.js';
 import { paramToBoolean } from '../../misc/bool.js';
 import { errorText } from '../helpers/errors.js';
+import { cleanupQueryValue } from '../helpers/query.js';
 
 /**
  * Check selector for weird stuff
@@ -57,7 +58,7 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest
 
 		// 'color': string
 		// Sets color for monotone images
-		const color = qOptions.color;
+		const color = cleanupQueryValue(qOptions.color);
 		if (typeof color === 'string' && stringToColor(color)) {
 			options.color = color;
 		}
@@ -98,23 +99,23 @@ export function generateIconsStyleResponse(prefix: string, query: FastifyRequest
 		// 'commonSelector': string
 		// Common selector for all requested icons
 		// Alias: 'common'
-		const commonSelector = qOptions.commonSelector || q.common;
+		const commonSelector = cleanupQueryValue(qOptions.commonSelector || q.common);
 		if (checkSelector(commonSelector)) {
 			options.commonSelector = commonSelector;
 		}
 
 		// 'iconSelector': string
 		// Icon selector
 		// Alias: 'selector'
-		const iconSelector = qOptions.iconSelector || q.selector;
+		const iconSelector = cleanupQueryValue(qOptions.iconSelector || q.selector);
 		if (checkSelector(iconSelector)) {
 			options.iconSelector = iconSelector;
 		}
 
 		// 'overrideSelector': string
 		// Selector for rules in icon that override common rules
 		// Alias: 'override'
-		const overrideSelector = qOptions.overrideSelector || q.override;
+		const overrideSelector = cleanupQueryValue(qOptions.overrideSelector || q.override);
 		if (checkSelector(overrideSelector)) {
 			options.overrideSelector = overrideSelector;
 		}

diff --git a/src/http/responses/svg.ts b/src/http/responses/svg.ts
@@ -8,6 +8,7 @@ import type { FastifyReply, FastifyRequest } from 'fastify';
 import { getStoredIconData } from '../../data/icon-set/utils/get-icon.js';
 import { iconSets } from '../../data/icon-sets.js';
 import { errorText } from '../helpers/errors.js';
+import { cleanupQueryValue } from '../helpers/query.js';
 
 /**
  * Generate SVG
@@ -43,8 +44,8 @@ export function generateSVGResponse(prefix: string, name: string, query: Fastify
 		const customisations: IconifyIconCustomisations = {};
 
 		// Dimensions
-		customisations.width = q.width || defaultIconCustomisations.width;
-		customisations.height = q.height || defaultIconCustomisations.height;
+		customisations.width = cleanupQueryValue(q.width) || defaultIconCustomisations.width;
+		customisations.height = cleanupQueryValue(q.height) || defaultIconCustomisations.height;
 
 		// Rotation
 		customisations.rotate = q.rotate ? rotateFromString(q.rotate, 0) : 0;
@@ -75,7 +76,7 @@ export function generateSVGResponse(prefix: string, name: string, query: Fastify
 		let html = iconToHTML(body, svg.attributes);
 
 		// Change color
-		const color = q.color;
+		const color = cleanupQueryValue(q.color);
 		if (color && html.indexOf('currentColor') !== -1 && color.indexOf('"') === -1) {
 			html = html.split('currentColor').join(color);
 		}