Merge pull request #9 from railwayapp/fp/sanitize-args

sanitize args before rendering error html
railwayapp · Feb 1, 2024 · cd8e145 · cd8e145
2 parents dca0837 + fb61282
commit cd8e145
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/src/pages/api/image.ts b/src/pages/api/image.ts
@@ -1,7 +1,9 @@
 import { NextApiHandler } from "next";
-import { getLayoutAndConfig } from "../../layouts";
 import { z } from "zod";
+
+import { getLayoutAndConfig } from "../../layouts";
 import { renderLayoutToSVG, renderSVGToPNG } from "../../og";
+import { sanitizeHtml } from "../../layouts/utils";
 
 const imageReq = z.object({
   layoutName: z.string(),
@@ -38,7 +40,9 @@ const handler: NextApiHandler = async (req, res) => {
     res.statusCode = 500;
     res.setHeader("Content-Type", "text/html");
     res.end(
-      `<h1>Internal Error</h1><pre><code>${(e as any).message}</code></pre>`,
+      `<h1>Internal Error</h1><pre><code>${sanitizeHtml(
+        (e as any).message,
+      )}</code></pre>`,
     );
     console.error(e);
   }