fix: Use encodeURIComponent to prevent XSS

- Updated the game mode and room ID parameters to use `encodeURIComponent` before including them in URLs. - This change ensures that special characters are properly encoded, preventing potential XSS attacks. - Applied this update to the room creation and joining logic in `home.ejs` and `play-now.ejs`. This fix enhances the security of the application by preventing cross-site scripting (XSS) vulnerabilities.
tridecco · Nov 12, 2024 · 0ed2b6c · 0ed2b6c
1 parent e1390db
commit 0ed2b6c
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/views/pages/home.ejs b/views/pages/home.ejs
@@ -116,21 +116,21 @@
     
         // Handle Join Room
         document.getElementById("join-room").addEventListener("click", () => {
-            const roomId = encodeURIComponent(document.getElementById("room-id").value);
-            window.location.href = `/game?type=join&roomId=${roomId}`;
+            const roomId = document.getElementById("room-id").value;
+            window.location.href = `/game?type=join&roomId=${encodeURIComponent(roomId)}`;
         });
     
         // Create Room event listeners
         document.getElementById("create-room-single").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-single").value;
             const gameMode = `classic-${playerCount}-single`;
-            window.location.href = `/game?type=create&gameMode=${gameMode}`;
+            window.location.href = `/game?type=create&gameMode=${encodeURIComponent(gameMode)}`;
         });
     
         document.getElementById("create-room-multi").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-multi").value;
             const gameMode = `classic-${playerCount}`;
-            window.location.href = `/game?type=create&gameMode=${gameMode}`;
+            window.location.href = `/game?type=create&gameMode=${encodeURIComponent(gameMode)}`;
         });    
 
         // Initialize GameNetwork (Socket.IO)

diff --git a/views/pages/play-now.ejs b/views/pages/play-now.ejs
@@ -104,12 +104,12 @@
         document.getElementById("start-game-single").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-single").value;
             const gameMode = `classic-${playerCount}-single`;
-            window.location.href = `/game?type=queue&gameMode=${gameMode}`;
+            window.location.href = `/game?type=queue&gameMode=${encodeURIComponent(gameMode)}`;
         });
         document.getElementById("start-game-multi").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-multi").value;
             const gameMode = `classic-${playerCount}`;
-            window.location.href = `/game?type=queue&gameMode=${gameMode}`;
+            window.location.href = `/game?type=queue&gameMode=${encodeURIComponent(gameMode)}`;
         });
     </script>
 </body>