fix: sanitize attribute names

.changeset/grumpy-kids-punch.md

@@ -0,0 +1,5 @@
+---
+"@ima/server": patch
+---
+
+The meta attribute names are also sanitized.

packages/server/lib/factory/utils/__tests__/__snapshots__/metaUtilsSpec.js.snap

@@ -2,4 +2,4 @@
 
 exports[`metaUtils renderMeta should generate meta tags while filtering out invalid values 1`] = `"<title>Page title</title><link data-ima-meta rel="stylesheet" href="/media/examples/link-element-example.css" /><meta data-ima-meta name="description" content="meta description" /><meta data-ima-meta name="keywords" content="ima core cli" data-custom-attr="custom-attribute" /><meta data-ima-meta property="og:description" /><meta data-ima-meta property="og:keywords" content="ima core cli" data-custom-attr="custom-attribute" />"`;
 
-exports[`metaUtils renderMeta should generate meta tags while prevent XSS 1`] = `"<title>&lt;script>alert(1)&lt;/script></title><link data-ima-meta rel="stylesheet" href="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="description" content="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" /><meta data-ima-meta property="og:description" /><meta data-ima-meta property="og:keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" />"`;
+exports[`metaUtils renderMeta should generate meta tags while prevent XSS 1`] = `"<title>&lt;script>alert(1)&lt;/script></title><link data-ima-meta rel="stylesheet" href="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="description" content="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" /><meta data-ima-meta name="&quot;>&lt;script>alert(1)&lt;/script>" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" /><meta data-ima-meta property="og:description" /><meta data-ima-meta property="og:keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" />"`;

packages/server/lib/factory/utils/__tests__/metaUtilsSpec.js

@@ -76,6 +76,13 @@ describe('metaUtils', () => {
                 'data-custom-attr': 'custom-attribute',
               },
             ],
+            [
+              '"><script>alert(1)</script>',
+              {
+                content: '"><script>alert(1)</script>',
+                'data-custom-attr': 'custom-attribute',
+              },
+            ],
           ]).entries()
         ),
         getMetaPropertiesIterator: jest.fn().mockReturnValue(

packages/server/lib/factory/utils/metaUtils.js

@@ -78,13 +78,14 @@ function _getMetaTags(iterator, tagName, keyName) {
 
     for (let [attrName, attrValue] of Object.entries(attributes)) {
       const sanitizedAttrValue = sanitizeValue(attrValue);
+      const sannitizedAttrName = sanitizeValue(attrName);
 
       // Skip empty values
-      if (sanitizedAttrValue === null) {
+      if (sanitizedAttrValue === null || sannitizedAttrName === null) {
         continue;
       }
 
-      tagParts.push(`${attrName}="${sanitizedAttrValue}"`);
+      tagParts.push(`${sannitizedAttrName}="${sanitizedAttrValue}"`);
     }
 
     tagParts.push('/>');