diff options
| author | Fuwn <[email protected]> | 2026-04-18 08:55:09 +0000 |
|---|---|---|
| committer | Fuwn <[email protected]> | 2026-04-18 08:55:09 +0000 |
| commit | d7d7a5f00be218540b98e4a923606cf57bbd23e9 (patch) | |
| tree | 3088bb7b6fd844e3ba5b139b91090506af057132 | |
| parent | fix(utility): treat .localhost subdomains as private in appOrigin (diff) | |
| download | due.moe-d7d7a5f00be218540b98e4a923606cf57bbd23e9.tar.xz due.moe-d7d7a5f00be218540b98e4a923606cf57bbd23e9.zip | |
fix(api): encode subsplease timezone to prevent query-param injection
The `tz` query value was interpolated raw into the upstream URL, letting
callers append arbitrary query segments (e.g. `tz=foo&f=hax`). Wrap the
value in encodeURIComponent and rename the local variable away from the
banned `tz` abbreviation.
| -rw-r--r-- | src/routes/api/subsplease/+server.ts | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/src/routes/api/subsplease/+server.ts b/src/routes/api/subsplease/+server.ts index 6ef2d832..1f678d8c 100644 --- a/src/routes/api/subsplease/+server.ts +++ b/src/routes/api/subsplease/+server.ts @@ -1,12 +1,12 @@ import { appOriginHeaders } from "$lib/Utility/appOrigin"; -export const GET = async ({ url }) => - Response.json( +export const GET = async ({ url }) => { + const timezone = url.searchParams.get("tz") || "America/Los_Angeles"; + + return Response.json( await ( await fetch( - `https://subsplease.org/api/?f=schedule&tz=${ - url.searchParams.get("tz") || "America/Los_Angeles" - }`, + `https://subsplease.org/api/?f=schedule&tz=${encodeURIComponent(timezone)}`, ) ).json(), { @@ -15,3 +15,4 @@ export const GET = async ({ url }) => }), }, ); +}; |