add regex safe value for css xsite scripting

Author: dskamiotis

dotcom-rendering/src/server/lib/add-queryparams-to-abtests.ts

@@ -1,19 +1,24 @@
 import type { Handler } from 'express';
 import { validateAsFEArticle } from '../../../src/model/validate';
 
-export const addQueryParamsToABTests: Handler = async (req, res, next) => {
+export const getABTestsFromQueryParams: Handler = async (req, res, next) => {
 	try {
 		const frontendData = validateAsFEArticle(req.body);
 
 		const { config } = frontendData;
 
 		const queryParamsAb = req.query;
 
+		const SAFE_KEY = /^[a-zA-Z0-9_-]{1,100}$/;
+		const SAFE_VALUE = /^[a-zA-Z0-9_-]{1,40}$/;
+
 		const filteredQuery: Record<string, string> = {};
 		for (const [key, value] of Object.entries(queryParamsAb)) {
 			if (typeof value == 'string' && key.startsWith('ab-')) {
 				const testId = key.replace(/^ab-/, '');
-				filteredQuery[testId] = value;
+				if (SAFE_VALUE.test(value) && SAFE_KEY.test(key)) {
+					filteredQuery[testId] = value;
+				}
 			}
 		}
 

dotcom-rendering/src/server/server.dev.ts

@@ -21,7 +21,7 @@ import {
 	handleFootballMatchPage,
 	handleFootballTablesPage,
 } from './handler.sportDataPage.web';
-import { addQueryParamsToABTests } from './lib/add-queryparams-to-abtests';
+import { getABTestsFromQueryParams } from './lib/add-queryparams-to-abtests';
 import { getContentFromURLMiddleware } from './lib/get-content-from-url';
 
 /** article URLs contain a part that looks like “2022/nov/25” */
@@ -91,7 +91,7 @@ const renderer = Router();
 // populates req.body with the content data from a production
 // URL if req.params.url is present
 renderer.use(getContentFromURLMiddleware);
-renderer.use(addQueryParamsToABTests);
+renderer.use(getABTestsFromQueryParams);
 renderer.get('/Article/*url', handleArticle);
 renderer.get('/Interactive/*url', handleInteractive);
 renderer.get('/Blocks/*url', handleBlocks);