Summary
The OG HTML endpoints in policyengine-app-v2 are vulnerable to reflected XSS via the path query parameter.
Severity
High
Impact
A crafted query string can break out of attribute context and return executable HTML/JS in the OG response.
Affected code
app/api/og.ts:79-107,237-241- mirrored copy in
policyengine-app-v2-blog/app/api/og.ts:74-102,232-236
Details
pathname from url.searchParams.get("path") is concatenated into fullUrl and then injected into og:url, canonical-style links, and <a href> attributes without escaping.
Expected behavior
User-controlled URL parts should be escaped for HTML attribute context or encoded before interpolation.
Suggested remediation
- Escape
url before writing it into HTML
- Prefer constructing safe URLs and serializing with an attribute escaper
- Add regression tests with quote-breaking payloads
Summary
The OG HTML endpoints in
policyengine-app-v2are vulnerable to reflected XSS via thepathquery parameter.Severity
High
Impact
A crafted query string can break out of attribute context and return executable HTML/JS in the OG response.
Affected code
app/api/og.ts:79-107,237-241policyengine-app-v2-blog/app/api/og.ts:74-102,232-236Details
pathnamefromurl.searchParams.get("path")is concatenated intofullUrland then injected intoog:url, canonical-style links, and<a href>attributes without escaping.Expected behavior
User-controlled URL parts should be escaped for HTML attribute context or encoded before interpolation.
Suggested remediation
urlbefore writing it into HTML