1 год назад · af2a3beef7
--- a/packages/remark-attachment-refs/src/server/routes/refs.ts
+++ b/packages/remark-attachment-refs/src/server/routes/refs.ts
@@ -86,6 +86,7 @@ export const routesFactory = (crowi): any => {
 
															   router.get('/ref', accessTokenParser, loginRequired, async(req: RequestWithUser, res) => {
														
 
															     const user = req.user;
														
 
															     const { pagePath, fileNameOrId } = req.query;
														
 
															+    const filterXSS = new FilterXSS();
														
 
															     if (pagePath == null) {
														
 
															       res.status(400).send('the param \'pagePath\' must be set.');
														
@@ -96,7 +97,7 @@ export const routesFactory = (crowi): any => {
 
															     // not found
														
 
															     if (page == null) {
														
 
															-      res.status(404).send(`pagePath: '${pagePath}' is not found or forbidden.`);
														
 
															+      res.status(404).send(filterXSS.process(`pagePath: '${pagePath}' is not found or forbidden.`));
														
 
															       return;
														
 
															     }
														
@@ -117,7 +118,7 @@ export const routesFactory = (crowi): any => {
 
															     // not found
														
 
															     if (attachment == null) {
														
 
															-      res.status(404).send(`attachment '${fileNameOrId}' is not found.`);
														
 
															+      res.status(404).send(filterXSS.process(`attachment '${fileNameOrId}' is not found.`));
														
 
															       return;
														
 
															     }