diff --git a/functions/helloworld/index.js b/functions/helloworld/index.js
index 468347f97e..a65905f9e1 100644
--- a/functions/helloworld/index.js
+++ b/functions/helloworld/index.js
@@ -16,6 +16,7 @@
'use strict';
const Buffer = require('safe-buffer').Buffer;
+const escapeHtml = require('escape-html');
// [START functions_helloworld_get]
/**
@@ -44,7 +45,7 @@ exports.helloGET = (req, res) => {
*/
// [START functions_tips_terminate]
exports.helloHttp = (req, res) => {
- res.send(`Hello ${req.body.name || 'World'}!`);
+ res.send(`Hello ${escapeHtml(req.body.name || 'World')}!`);
};
// [END functions_helloworld_http]
diff --git a/functions/helloworld/package.json b/functions/helloworld/package.json
index 3f654f20f6..29334db8d0 100644
--- a/functions/helloworld/package.json
+++ b/functions/helloworld/package.json
@@ -20,6 +20,7 @@
},
"dependencies": {
"@google-cloud/debug-agent": "2.4.0",
+ "escape-html": "^1.0.3",
"pug": "2.0.3",
"safe-buffer": "5.1.1"
},
diff --git a/functions/helloworld/test/index.test.js b/functions/helloworld/test/index.test.js
index 360d5945d4..c0d58d7e76 100644
--- a/functions/helloworld/test/index.test.js
+++ b/functions/helloworld/test/index.test.js
@@ -71,6 +71,17 @@ test.cb(`helloHttp: should print hello world`, (t) => {
.end(t.end);
});
+test.cb.serial(`helloHttp: should escape XSS`, (t) => {
+ supertest(BASE_URL)
+ .post(`/helloHttp`)
+ .send({ name: '' })
+ .expect(200)
+ .expect((response) => {
+ t.false(response.text.includes('` };
+ httpSample.sample.helloContent(mocks.req, mocks.res);
+
+ t.true(mocks.res.status.calledOnce);
+ t.is(mocks.res.status.firstCall.args[0], 200);
+ t.true(mocks.res.send.calledOnce);
+ t.false(mocks.res.send.firstCall.args[0].includes('