escape the query on loadwhiteboard and getReadOnlyWid

2021-06-22 23:10:23 +02:00 · 2021-06-22 23:10:23 +02:00 · 4f4c5fe87e
commit 4f4c5fe87e
parent 0e00bebe88
1 changed files with 6 additions and 4 deletions
--- a/scripts/server-backend.js
+++ b/scripts/server-backend.js
@ -49,8 +49,9 @@ function startBackendServer(port) {
     *     curl -i http://[rootUrl]/api/loadwhiteboard?wid=[MyWhiteboardId]
     */
    app.get("/api/loadwhiteboard", function (req, res) {
-        const wid = req["query"]["wid"];
-        const at = req["query"]["at"]; //accesstoken
+        let query = escapeAllContentStrings(req["query"]);
+        const wid = query["wid"];
+        const at = query["at"]; //accesstoken
        if (accessToken === "" || accessToken == at) {
            const widForData = ReadOnlyBackendService.isReadOnly(wid)
                ? ReadOnlyBackendService.getIdFromReadOnlyId(wid)
@ -80,8 +81,9 @@ function startBackendServer(port) {
     *     curl -i http://[rootUrl]/api/getReadOnlyWid?wid=[MyWhiteboardId]
     */
    app.get("/api/getReadOnlyWid", function (req, res) {
-        const wid = req["query"]["wid"];
-        const at = req["query"]["at"]; //accesstoken
+        let query = escapeAllContentStrings(req["query"]);
+        const wid = query["wid"];
+        const at = query["at"]; //accesstoken
        if (accessToken === "" || accessToken == at) {
            res.send(ReadOnlyBackendService.getReadOnlyId(wid));
            res.end();