malpercio.dev
WIP! A BB-style forum, on the ATmosphere!
We're still working... we'll be back soon when we have something to show off!
node
typescript
hono
htmx
atproto
fix(web): block } in sanitizeTokenValue to prevent CSS block-escape injection (ATB-59)
+1
-1
+1
-1
apps/web/src/routes/admin-themes.tsx
+1
-1
apps/web/src/routes/admin-themes.tsx
···
91
91
/** Drop token values that could break the CSS style block. */
92
92
function sanitizeTokenValue(value: unknown): string | null {
93
93
if (typeof value !== "string") return null;
94
-
if (value.includes("<") || value.includes(";") || value.includes("</")) return null;
94
+
if (value.includes("<") || value.includes(";") || value.includes("}")) return null;
95
95
return value;
96
96
}
97
97