From 7c012884bbd04b0fb6dea4d8d42b14f5d519fb6c Mon Sep 17 00:00:00 2001 From: taniy8 Date: Fri, 12 Jun 2026 05:06:32 +0530 Subject: [PATCH 1/2] fix: sanitize username input in generateNotFoundSVG to prevent SVG injection --- lib/svg/generator.ts | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/lib/svg/generator.ts b/lib/svg/generator.ts index 5cdb92557..0e414517c 100644 --- a/lib/svg/generator.ts +++ b/lib/svg/generator.ts @@ -1971,7 +1971,8 @@ export function generateNotFoundSVG( radius: number, speed: string = '8s' ): string { - const safeName = escapeXML(username.toUpperCase()); + const sanitizedUsername = username.replace(/[^a-zA-Z0-9\-]/g, '').slice(0, 39) || 'unknown'; + const safeName = escapeXML(sanitizedUsername.toUpperCase()); const ghostTowersHtml = renderGhostTowers(GHOST_LAYOUT, accent); const safeId = safeName.replace(/[^a-zA-Z0-9-]/g, '_').toLowerCase(); From 4d9fd86ca4ee995a1bf42d7717a8428b7ef5ccd6 Mon Sep 17 00:00:00 2001 From: taniy8 Date: Fri, 12 Jun 2026 11:51:39 +0530 Subject: [PATCH 2/2] fix: sanitize username input in generateNotFoundSVG to prevent SVG injection --- lib/svg/generator.test.ts | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/svg/generator.test.ts b/lib/svg/generator.test.ts index b1c50a3bd..550a2a728 100644 --- a/lib/svg/generator.test.ts +++ b/lib/svg/generator.test.ts @@ -685,7 +685,7 @@ describe('generateSVG', () => { it('renders the username in uppercase and escapes XML-reserved characters', () => { const svg = generateNotFoundSVG('octocat&co', '#0d1117', '#00ffaa', '#ffffff', 8); - expect(svg).toContain('OCTOCAT&CO'); + expect(svg).toContain('OCTOCATCO'); }); it('displays the "NOT FOUND" text label', () => {