fix(error-response-plugin): sanitize input (#1141)

chimurai · web-flow · commit 6b1dd038d24a · 2025-08-30T18:42:11.000Z
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -3,6 +3,7 @@
 ## next
 
 - fix(types): fix Logger type
+- fix(error-response-plugin): sanitize input
 
 ## [v3.0.5](https://github.com/chimurai/http-proxy-middleware/releases/tag/v3.0.5)
 
diff --git a/cspell.json b/cspell.json
@@ -19,7 +19,7 @@
       "path": "CONTRIBUTORS.txt"
     }
   ],
-  "ignoreRegExpList": ["[a-z]+path", "\\]\\(#[a-z-]+\\)"],
+  "ignoreRegExpList": ["[a-z]+path", "\\]\\(#[a-z-]+\\)", "%[\\dA-Z]{2}"],
   "words": [
     "brotli",
     "camelcase",
diff --git a/src/plugins/default/error-response-plugin.ts b/src/plugins/default/error-response-plugin.ts
@@ -3,6 +3,7 @@ import type { Socket } from 'node:net';
 
 import { getStatusCode } from '../../status-code';
 import { Plugin } from '../../types';
+import { sanitize } from '../../utils/sanitize';
 
 function isResponseLike(obj: any): obj is http.ServerResponse {
   return obj && typeof obj.writeHead === 'function';
@@ -26,7 +27,7 @@ export const errorResponsePlugin: Plugin = (proxyServer, options) => {
       }
 
       const host = req.headers && req.headers.host;
-      res.end(`Error occurred while trying to proxy: ${host}${req.url}`);
+      res.end(`Error occurred while trying to proxy: ${sanitize(host)}${sanitize(req.url)}`);
     } else if (isSocketLike(res)) {
       res.destroy();
     }
diff --git a/src/utils/sanitize.ts b/src/utils/sanitize.ts
@@ -0,0 +1,3 @@
+export function sanitize(input: string | undefined): string {
+  return input?.replace(/[<>]/g, (i) => encodeURIComponent(i)) ?? '';
+}
diff --git a/test/unit/utils/sanitize.spec.ts b/test/unit/utils/sanitize.spec.ts
@@ -0,0 +1,17 @@
+import { sanitize } from '../../../src/utils/sanitize';
+
+describe('sanitize()', () => {
+  it('should return empty string for undefined input', () => {
+    expect(sanitize(undefined)).toEqual('');
+  });
+
+  it('should replace special characters with their HTML entity equivalents', () => {
+    const input = '<>';
+    expect(sanitize(input)).toMatchInlineSnapshot(`"%3C%3E"`);
+  });
+
+  it('should replace special characters with HTML entities', () => {
+    const input = '<script>alert("XSS")</script>';
+    expect(sanitize(input)).toMatchInlineSnapshot(`"%3Cscript%3Ealert("XSS")%3C/script%3E"`);
+  });
+});

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,7 @@`
`19`	`19`	`"path": "CONTRIBUTORS.txt"`
`20`	`20`	`}`
`21`	`21`	`],`
`22`		`- "ignoreRegExpList": ["[a-z]+path", "\\]\\(#[a-z-]+\\)"],`
	`22`	`+ "ignoreRegExpList": ["[a-z]+path", "\\]\\(#[a-z-]+\\)", "%[\\dA-Z]{2}"],`
`23`	`23`	`"words": [`
`24`	`24`	`"brotli",`
`25`	`25`	`"camelcase",`
Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ import type { Socket } from 'node:net';`
`3`	`3`
`4`	`4`	`import { getStatusCode } from '../../status-code';`
`5`	`5`	`import { Plugin } from '../../types';`
	`6`	`+import { sanitize } from '../../utils/sanitize';`
`6`	`7`
`7`	`8`	`function isResponseLike(obj: any): obj is http.ServerResponse {`
`8`	`9`	`return obj && typeof obj.writeHead === 'function';`
`@@ -26,7 +27,7 @@ export const errorResponsePlugin: Plugin = (proxyServer, options) => {`
`26`	`27`	`}`
`27`	`28`
`28`	`29`	`const host = req.headers && req.headers.host;`
`29`		- res.end(`Error occurred while trying to proxy: ${host}${req.url}`);
	`30`	+ res.end(`Error occurred while trying to proxy: ${sanitize(host)}${sanitize(req.url)}`);
`30`	`31`	`} else if (isSocketLike(res)) {`
`31`	`32`	`res.destroy();`
`32`	`33`	`}`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+export function sanitize(input: string \| undefined): string {`
	`2`	`+ return input?.replace(/[<>]/g, (i) => encodeURIComponent(i)) ?? '';`
	`3`	`+}`