From 0ed2b6cb001ae8244ca2d284b151e85027b52d84 Mon Sep 17 00:00:00 2001
From: Tony Kan <tianchengkan@gmail.com>
Date: Tue, 12 Nov 2024 08:06:47 -0800
Subject: [PATCH] fix: Use encodeURIComponent to prevent XSS

- Updated the game mode and room ID parameters to use `encodeURIComponent` before including them in URLs.
- This change ensures that special characters are properly encoded, preventing potential XSS attacks.
- Applied this update to the room creation and joining logic in `home.ejs` and `play-now.ejs`.

This fix enhances the security of the application by preventing cross-site scripting (XSS) vulnerabilities.
---
 views/pages/home.ejs     | 8 ++++----
 views/pages/play-now.ejs | 4 ++--
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/views/pages/home.ejs b/views/pages/home.ejs
index f97bcff..fceb3c5 100644
--- a/views/pages/home.ejs
+++ b/views/pages/home.ejs
@@ -116,21 +116,21 @@
     
         // Handle Join Room
         document.getElementById("join-room").addEventListener("click", () => {
-            const roomId = encodeURIComponent(document.getElementById("room-id").value);
-            window.location.href = `/game?type=join&roomId=${roomId}`;
+            const roomId = document.getElementById("room-id").value;
+            window.location.href = `/game?type=join&roomId=${encodeURIComponent(roomId)}`;
         });
     
         // Create Room event listeners
         document.getElementById("create-room-single").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-single").value;
             const gameMode = `classic-${playerCount}-single`;
-            window.location.href = `/game?type=create&gameMode=${gameMode}`;
+            window.location.href = `/game?type=create&gameMode=${encodeURIComponent(gameMode)}`;
         });
     
         document.getElementById("create-room-multi").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-multi").value;
             const gameMode = `classic-${playerCount}`;
-            window.location.href = `/game?type=create&gameMode=${gameMode}`;
+            window.location.href = `/game?type=create&gameMode=${encodeURIComponent(gameMode)}`;
         });    
 
         // Initialize GameNetwork (Socket.IO)
diff --git a/views/pages/play-now.ejs b/views/pages/play-now.ejs
index ef0de7b..1fde661 100644
--- a/views/pages/play-now.ejs
+++ b/views/pages/play-now.ejs
@@ -104,12 +104,12 @@
         document.getElementById("start-game-single").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-single").value;
             const gameMode = `classic-${playerCount}-single`;
-            window.location.href = `/game?type=queue&gameMode=${gameMode}`;
+            window.location.href = `/game?type=queue&gameMode=${encodeURIComponent(gameMode)}`;
         });
         document.getElementById("start-game-multi").addEventListener("click", () => {
             const playerCount = document.getElementById("player-count-multi").value;
             const gameMode = `classic-${playerCount}`;
-            window.location.href = `/game?type=queue&gameMode=${gameMode}`;
+            window.location.href = `/game?type=queue&gameMode=${encodeURIComponent(gameMode)}`;
         });
     </script>
 </body>