fix(error-response-plugin): percentage-encode path < and > to limit XSS

MegaManSec · MegaManSec · commit 597599e43dd2 · 2025-08-24T23:57:25.000+02:00
diff --git a/src/plugins/default/error-response-plugin.ts b/src/plugins/default/error-response-plugin.ts
@@ -25,8 +25,12 @@ export const errorResponsePlugin: Plugin = (proxyServer, options) => {
         res.writeHead(statusCode);
       }
 
+      const encodedPath = req.url
+        .replace(/</g, '%3C')
+        .replace(/>/g, '%3E');
+
       const host = req.headers && req.headers.host;
-      res.end(`Error occurred while trying to proxy: ${host}${req.url}`);
+      res.end(`Error occurred while trying to proxy: ${host}${encodedPath}`);
     } else if (isSocketLike(res)) {
       res.destroy();
     }

Original file line number	Diff line number	Diff line change
`@@ -25,8 +25,12 @@ export const errorResponsePlugin: Plugin = (proxyServer, options) => {`
`25`	`25`	`res.writeHead(statusCode);`
`26`	`26`	`}`
`27`	`27`
	`28`	`+ const encodedPath = req.url`
	`29`	`+ .replace(/</g, '%3C')`
	`30`	`+ .replace(/>/g, '%3E');`
	`31`	`+`
`28`	`32`	`const host = req.headers && req.headers.host;`
`29`		- res.end(`Error occurred while trying to proxy: ${host}${req.url}`);
	`33`	+ res.end(`Error occurred while trying to proxy: ${host}${encodedPath}`);
`30`	`34`	`} else if (isSocketLike(res)) {`
`31`	`35`	`res.destroy();`
`32`	`36`	`}`