From fb6128244f9981322e1bc0995a4d2edd797e42c1 Mon Sep 17 00:00:00 2001
From: Faraz Patankar <farazpatankar@gmail.com>
Date: Thu, 1 Feb 2024 19:50:29 +0400
Subject: [PATCH] sanitize args before rendering error html

---
 src/pages/api/image.ts | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/src/pages/api/image.ts b/src/pages/api/image.ts
index fedffd3f3..535bb0d58 100644
--- a/src/pages/api/image.ts
+++ b/src/pages/api/image.ts
@@ -1,7 +1,9 @@
 import { NextApiHandler } from "next";
-import { getLayoutAndConfig } from "../../layouts";
 import { z } from "zod";
+
+import { getLayoutAndConfig } from "../../layouts";
 import { renderLayoutToSVG, renderSVGToPNG } from "../../og";
+import { sanitizeHtml } from "../../layouts/utils";
 
 const imageReq = z.object({
   layoutName: z.string(),
@@ -38,7 +40,9 @@ const handler: NextApiHandler = async (req, res) => {
     res.statusCode = 500;
     res.setHeader("Content-Type", "text/html");
     res.end(
-      `<h1>Internal Error</h1><pre><code>${(e as any).message}</code></pre>`,
+      `<h1>Internal Error</h1><pre><code>${sanitizeHtml(
+        (e as any).message,
+      )}</code></pre>`,
     );
     console.error(e);
   }