Escape log titles, LICENSE files, and text files

server.js

@@ -3,7 +3,7 @@ const app = express()
 const port = 3000
 var fs = require('fs')
 var path = require('path')
-const { bufferFile, wc, head } = require('./utils')
+const { bufferFile, wc, head, escape } = require('./utils')
 
 app.engine('cosmic', function (filePath, options, callback) {
   fs.readFile(filePath, function (err, content) {
@@ -31,7 +31,7 @@ app.get('/', async function (req, res) {
     let link = split[1]
     link = link.replace(/\.txt$/, '.html')
     let name = split[0].substr(1)
-    content += '<a href="' + link + '">' + lines + ' <span class="dim">&gt;&gt;</span> ' + name + '</a>\n'
+    content += '<a href="' + link + '">' + lines + ' <span class="dim">&gt;&gt;</span> ' + escape(name) + '</a>\n'
     lines--
   }
   res.render('index', { intro: intro, recent: content })
@@ -46,7 +46,7 @@ app.get('/log', async function (req, res) {
     let link = split[1]
     link = link.replace(/\.txt$/, '.html')
     let name = split[0].substr(1)
-    content += '<a href="' + link + '">' + String(lines).padStart(3, '0') + ' <span class="dim">&gt;&gt;</span> ' + name + '</a>\n'
+    content += '<a href="' + link + '">' + String(lines).padStart(3, '0') + ' <span class="dim">&gt;&gt;</span> ' + escape(name) + '</a>\n'
     lines--
   }
   const back = '<a href="/"><span class="dim">&lt;&lt;</span> BACK TO COSMIC VOYAGE</a>'
@@ -78,7 +78,7 @@ app.get('/ships', async function (req, res) {
 app.get('/ships/*', async function (req, res) {
   const list = await head('/var/gopher/listing.gophermap')
   const ship = decodeURIComponent(req.path).replace(new RegExp('/ships/', 'i'), '').replace(new RegExp('/(?:index.html)?$', 'i'), '');
-  const description = bufferFile('/var/gopher/' + ship + '/.description') || ''
+  const description = escape(bufferFile('/var/gopher/' + ship + '/.description')) || ''
   const license = bufferFile('/var/gopher/' + ship + '/LICENSE') || ''
   var licenseLabel = ''
   var licenseContent = ''
@@ -96,7 +96,7 @@ app.get('/ships/*', async function (req, res) {
       let link = split[1]
       link = link.replace(/\.txt$/, '.html')
       let name = split[0].substr(1)
-      content += '<a href="' + link + '">' + String(list.length - i).padStart(3, '0') + ' <span class="dim">&gt;&gt;</span> ' + name + '</a>\n'
+      content += '<a href="' + link + '">' + String(list.length - i).padStart(3, '0') + ' <span class="dim">&gt;&gt;</span> ' + escape(name) + '</a>\n'
     }
   }
   const fullUrl = 'https://cosmic.voyage' + req.originalUrl
@@ -144,7 +144,7 @@ app.get('*/LICENSE', function(req, res){
   var file = path.join('/var/gopher/', decodeURIComponent(req.path));
   fs.exists(file, function(exists) {
     if (exists) {
-      const file = bufferFile('/var/gopher/' + decodeURIComponent(req.path))
+      const file = escape(bufferFile('/var/gopher/' + decodeURIComponent(req.path)))
       const back = '<a href="/log"><span class="dim">&lt;&lt;</span> BACK TO RS001 LOG</a>'
       const content = back + '\n\n' + file
       res.setHeader('content-type', 'text/html')
@@ -176,7 +176,7 @@ app.get('*', function(req, res){
     var file = path.join('/var/gopher/', decodeURIComponent(req.path).replace(/\.html/, '.txt'));
     fs.exists(file, function(exists) {
       if (exists) {
-        const file = bufferFile('/var/gopher/' + decodeURIComponent(req.path).replace(/\.html/, '.txt'))
+        const file = escape(bufferFile('/var/gopher/' + decodeURIComponent(req.path).replace(/\.html/, '.txt')))
         const back = '<a href="/log"><span class="dim">&lt;&lt;</span> BACK TO RS001 LOG</a>'
         const content = back + '\n\n' + file
         const fullUrl = 'https://cosmic.voyage' + req.originalUrl

utils.js

@@ -43,8 +43,13 @@ function wc (path) {
   })
 }
 
+function escape (text) {
+  return text.replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace('"', '&quot;').replace("'", '&#x27;')
+}
+
 module.exports = {
   bufferFile: bufferFile,
   head: head,
-  wc: wc
+  wc: wc,
+  escape: escape
 }