GoogleCloudPlatform · fhinkel · Nov 9, 2018 · Oct 31, 2018 · Nov 6, 2018 · Nov 6, 2018
diff --git a/functions/helloworld/index.js b/functions/helloworld/index.js
@@ -16,6 +16,7 @@
 'use strict';
 
 const Buffer = require('safe-buffer').Buffer;
+const escapeHtml = require('escape-html');
 
 // [START functions_helloworld_get]
 /**
@@ -44,7 +45,7 @@ exports.helloGET = (req, res) => {
  */
 // [START functions_tips_terminate]
 exports.helloHttp = (req, res) => {
-  res.send(`Hello ${req.body.name || 'World'}!`);
+  res.send(`Hello ${escapeHtml(req.body.name || 'World')}!`);
 };
 // [END functions_helloworld_http]
 

diff --git a/functions/helloworld/package.json b/functions/helloworld/package.json
@@ -20,6 +20,7 @@
   },
   "dependencies": {
     "@google-cloud/debug-agent": "2.4.0",
+    "escape-html": "^1.0.3",
     "pug": "2.0.3",
     "safe-buffer": "5.1.1"
   },

diff --git a/functions/helloworld/test/index.test.js b/functions/helloworld/test/index.test.js
@@ -71,6 +71,17 @@ test.cb(`helloHttp: should print hello world`, (t) => {
     .end(t.end);
 });
 
+test.cb.serial(`helloHttp: should escape XSS`, (t) => {
+  supertest(BASE_URL)
+    .post(`/helloHttp`)
+    .send({ name: '<script>alert(1)</script>' })
+    .expect(200)
+    .expect((response) => {
+      t.false(response.text.includes('<script>'));
+    })
+    .end(t.end);
+});
+
 test(`helloBackground: should print a name`, async (t) => {
   const data = JSON.stringify({name: 'John'});
   const output = await tools.runAsync(`${baseCmd} call helloBackground --data '${data}'`);

diff --git a/functions/http/index.js b/functions/http/index.js
@@ -16,6 +16,8 @@
 'use strict';
 
 // [START functions_http_content]
+const escapeHtml = require('escape-html');
+
 /**
  * Responds to an HTTP request using data from the request body parsed according
  * to the "content-type" header.
@@ -48,7 +50,7 @@ exports.helloContent = (req, res) => {
       break;
   }
 
-  res.status(200).send(`Hello ${name || 'World'}!`);
+  res.status(200).send(`Hello ${escapeHtml(name || 'World')}!`);
 };
 // [END functions_http_content]
 

diff --git a/functions/http/package.json b/functions/http/package.json
@@ -26,6 +26,7 @@
   "dependencies": {
     "@google-cloud/storage": "1.7.0",
     "busboy": "^0.2.14",
+    "escape-html": "^1.0.3",
     "safe-buffer": "5.1.1"
   },
   "cloud-repo-tools": {

diff --git a/functions/http/test/index.test.js b/functions/http/test/index.test.js
@@ -167,6 +167,19 @@ test.serial(`http:helloContent: should handle other`, (t) => {
   t.deepEqual(mocks.res.send.firstCall.args[0], `Hello World!`);
 });
 
+test.serial(`http:helloContent: should escape XSS`, (t) => {
+  const mocks = getMocks();
+  const httpSample = getSample();
+  mocks.req.headers[`content-type`] = `text/plain`;
+  mocks.req.body = { name: `<script>alert(1)</script>` };
+  httpSample.sample.helloContent(mocks.req, mocks.res);
+
+  t.true(mocks.res.status.calledOnce);
+  t.is(mocks.res.status.firstCall.args[0], 200);
+  t.true(mocks.res.send.calledOnce);
+  t.false(mocks.res.send.firstCall.args[0].includes('<script>'));
+});
+
 test.serial(`http:cors: should respond to preflight request (no auth)`, (t) => {
   const mocks = getMocks();
   const httpSample = getSample();