From 71e40260e74c369590f648e9e98a2dee2a92f83f Mon Sep 17 00:00:00 2001
From: Miroslav Jancarik <miroslav.jancarik@firma.seznam.cz>
Date: Mon, 16 Sep 2024 23:28:51 +0200
Subject: [PATCH] fix: sanitize attribute names

---
 .changeset/grumpy-kids-punch.md                            | 5 +++++
 .../utils/__tests__/__snapshots__/metaUtilsSpec.js.snap    | 2 +-
 .../server/lib/factory/utils/__tests__/metaUtilsSpec.js    | 7 +++++++
 packages/server/lib/factory/utils/metaUtils.js             | 5 +++--
 4 files changed, 16 insertions(+), 3 deletions(-)
 create mode 100644 .changeset/grumpy-kids-punch.md

diff --git a/.changeset/grumpy-kids-punch.md b/.changeset/grumpy-kids-punch.md
new file mode 100644
index 0000000000..61b78530ec
--- /dev/null
+++ b/.changeset/grumpy-kids-punch.md
@@ -0,0 +1,5 @@
+---
+"@ima/server": patch
+---
+
+The meta attribute names are also sanitized.
diff --git a/packages/server/lib/factory/utils/__tests__/__snapshots__/metaUtilsSpec.js.snap b/packages/server/lib/factory/utils/__tests__/__snapshots__/metaUtilsSpec.js.snap
index 7312c72a02..3de3bf1c3f 100644
--- a/packages/server/lib/factory/utils/__tests__/__snapshots__/metaUtilsSpec.js.snap
+++ b/packages/server/lib/factory/utils/__tests__/__snapshots__/metaUtilsSpec.js.snap
@@ -2,4 +2,4 @@
 
 exports[`metaUtils renderMeta should generate meta tags while filtering out invalid values 1`] = `"<title>Page title</title><link data-ima-meta rel="stylesheet" href="/media/examples/link-element-example.css" /><meta data-ima-meta name="description" content="meta description" /><meta data-ima-meta name="keywords" content="ima core cli" data-custom-attr="custom-attribute" /><meta data-ima-meta property="og:description" /><meta data-ima-meta property="og:keywords" content="ima core cli" data-custom-attr="custom-attribute" />"`;
 
-exports[`metaUtils renderMeta should generate meta tags while prevent XSS 1`] = `"<title>&lt;script>alert(1)&lt;/script></title><link data-ima-meta rel="stylesheet" href="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="description" content="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" /><meta data-ima-meta property="og:description" /><meta data-ima-meta property="og:keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" />"`;
+exports[`metaUtils renderMeta should generate meta tags while prevent XSS 1`] = `"<title>&lt;script>alert(1)&lt;/script></title><link data-ima-meta rel="stylesheet" href="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="description" content="&quot;>&lt;script>alert(1)&lt;/script>" /><meta data-ima-meta name="keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" /><meta data-ima-meta name="&quot;>&lt;script>alert(1)&lt;/script>" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" /><meta data-ima-meta property="og:description" /><meta data-ima-meta property="og:keywords" content="&quot;>&lt;script>alert(1)&lt;/script>" data-custom-attr="custom-attribute" />"`;
diff --git a/packages/server/lib/factory/utils/__tests__/metaUtilsSpec.js b/packages/server/lib/factory/utils/__tests__/metaUtilsSpec.js
index 4398996881..30b3036ff2 100644
--- a/packages/server/lib/factory/utils/__tests__/metaUtilsSpec.js
+++ b/packages/server/lib/factory/utils/__tests__/metaUtilsSpec.js
@@ -76,6 +76,13 @@ describe('metaUtils', () => {
                 'data-custom-attr': 'custom-attribute',
               },
             ],
+            [
+              '"><script>alert(1)</script>',
+              {
+                content: '"><script>alert(1)</script>',
+                'data-custom-attr': 'custom-attribute',
+              },
+            ],
           ]).entries()
         ),
         getMetaPropertiesIterator: jest.fn().mockReturnValue(
diff --git a/packages/server/lib/factory/utils/metaUtils.js b/packages/server/lib/factory/utils/metaUtils.js
index 701791f5ca..6a93fc8e33 100644
--- a/packages/server/lib/factory/utils/metaUtils.js
+++ b/packages/server/lib/factory/utils/metaUtils.js
@@ -78,13 +78,14 @@ function _getMetaTags(iterator, tagName, keyName) {
 
     for (let [attrName, attrValue] of Object.entries(attributes)) {
       const sanitizedAttrValue = sanitizeValue(attrValue);
+      const sannitizedAttrName = sanitizeValue(attrName);
 
       // Skip empty values
-      if (sanitizedAttrValue === null) {
+      if (sanitizedAttrValue === null || sannitizedAttrName === null) {
         continue;
       }
 
-      tagParts.push(`${attrName}="${sanitizedAttrValue}"`);
+      tagParts.push(`${sannitizedAttrName}="${sanitizedAttrValue}"`);
     }
 
     tagParts.push('/>');