From d7d7a5f00be218540b98e4a923606cf57bbd23e9 Mon Sep 17 00:00:00 2001
From: Fuwn <contact@fuwn.net>
Date: Sat, 18 Apr 2026 08:55:09 +0000
Subject: fix(api): encode subsplease timezone to prevent query-param injection

The `tz` query value was interpolated raw into the upstream URL, letting
callers append arbitrary query segments (e.g. `tz=foo&f=hax`). Wrap the
value in encodeURIComponent and rename the local variable away from the
banned `tz` abbreviation.
---
 src/routes/api/subsplease/+server.ts | 11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

diff --git a/src/routes/api/subsplease/+server.ts b/src/routes/api/subsplease/+server.ts
index 6ef2d832..1f678d8c 100644
--- a/src/routes/api/subsplease/+server.ts
+++ b/src/routes/api/subsplease/+server.ts
@@ -1,12 +1,12 @@
 import { appOriginHeaders } from "$lib/Utility/appOrigin";
 
-export const GET = async ({ url }) =>
-	Response.json(
+export const GET = async ({ url }) => {
+	const timezone = url.searchParams.get("tz") || "America/Los_Angeles";
+
+	return Response.json(
 		await (
 			await fetch(
-				`https://subsplease.org/api/?f=schedule&tz=${
-					url.searchParams.get("tz") || "America/Los_Angeles"
-				}`,
+				`https://subsplease.org/api/?f=schedule&tz=${encodeURIComponent(timezone)}`,
 			)
 		).json(),
 		{
@@ -15,3 +15,4 @@ export const GET = async ({ url }) =>
 			}),
 		},
 	);
+};
-- 
cgit v1.2.3