Sanitize JSON for adgeneration

prebid · Aug 30, 2022 · cbd529f · cbd529f
1 parent 47a32d8
commit cbd529f
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/modules/adgenerationBidAdapter.js b/modules/adgenerationBidAdapter.js
@@ -1,4 +1,4 @@
-import {tryAppendQueryString, getBidIdParameter} from '../src/utils.js';
+import {tryAppendQueryString, getBidIdParameter, sanitizeForHtml} from '../src/utils.js';
 import {registerBidder} from '../src/adapters/bidderFactory.js';
 import {BANNER, NATIVE} from '../src/mediaTypes.js';
 import {config} from '../src/config.js';
@@ -230,7 +230,7 @@ function insertVASTMethodForAPV(targetId, vastXml) {
   };
   let script = document.createElement(`script`);
   script.type = 'text/javascript';
-  script.innerHTML = `(function(){ new APV.VideoAd(${JSON.stringify(apvVideoAdParam)}).load('${vastXml.replace(/\r?\n/g, '')}'); })();`;
+  script.innerHTML = `(function(){ new APV.VideoAd(${sanitizeForHtml(JSON.stringify(apvVideoAdParam))}).load('${vastXml.replace(/\r?\n/g, '')}'); })();`;
   return script.outerHTML;
 }
 

diff --git a/src/utils.js b/src/utils.js
@@ -1381,3 +1381,30 @@ export function setScriptAttributes(script, attributes) {
     }
   }
 }
+
+/**
+ * Encode a string for inclusion in HTML.
+ * See https://pragmaticwebsecurity.com/articles/spasecurity/json-stringify-xss.html and
+ * https://codeql.github.com/codeql-query-help/javascript/js-bad-code-sanitization/
+ * @return {string}
+ */
+export const sanitizeForHtml = (() => {
+  const escapes = {
+    '<': '\\u003C',
+    '>': '\\u003E',
+    '/': '\\u002F',
+    '\\': '\\\\',
+    '\b': '\\b',
+    '\f': '\\f',
+    '\n': '\\n',
+    '\r': '\\r',
+    '\t': '\\t',
+    '\0': '\\0',
+    '\u2028': '\\u2028',
+    '\u2029': '\\u2029'
+  };
+
+  return function(str) {
+    return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029\\]/g, x => escapes[x])
+  }
+})();
diff --git a/test/spec/modules/emx_digitalBidAdapter_spec.js b/test/spec/modules/emx_digitalBidAdapter_spec.js
@@ -251,8 +251,8 @@ describe('emx_digital Adapter', function () {
     it('contains a properly formatted endpoint url', function () {
       const url = request.url.split('?');
       const queryParams = url[1].split('&');
-      expect(queryParams[0]).to.match(new RegExp('^t=d*', 'g'));
-      expect(queryParams[1]).to.match(new RegExp('^ts=d*', 'g'));
+      expect(queryParams[0]).to.match(new RegExp('^t=\d*', 'g'));
+      expect(queryParams[1]).to.match(new RegExp('^ts=\d*', 'g'));
     });
 
     it('builds bidfloor value from bid param when getFloor function does not exist', function () {