diff --git a/src/utils/bin/commands.ts b/src/utils/bin/commands.ts index 338c9f87d..3d53b5937 100644 --- a/src/utils/bin/commands.ts +++ b/src/utils/bin/commands.ts @@ -93,7 +93,8 @@ export const reddit = async (args: string[]): Promise => { // Typical linux commands export const echo = async (args: string[]): Promise => { - return args.join(' '); + return args.join(' ').replace( /<(?:(?:(?:(script|style|object|embed|applet|noframes|noscript|noembed)(?:\s+(?:"[\S\s]*?"|'[\S\s]*?'|(?:(?!\/>)[^>])?)+)?\s*>)[\S\s]*?<\/\1\s*(?=>))|(?:\/?[\w:]+\s*\/?)|(?:[\w:]+\s+(?:"[\S\s]*?"|'[\S\s]*?'|[^>]?)+\s*\/?)|\?[\S\s]*?\?|(?:!(?:(?:DOCTYPE[\S\s]*?)|(?:\[CDATA\[[\S\s]*?\]\])|(?:--[\S\s]*?--)|(?:ATTLIST[\S\s]*?)|(?:ENTITY[\S\s]*?)|(?:ELEMENT[\S\s]*?))))>/g,""); + //taken from: https://stackoverflow.com/questions/57398785/prevent-html-injections-with-javascript-typescript }; export const whoami = async (args: string[]): Promise => {