companion: sanitize text before adding to html

packages/@uppy/companion/src/server/controllers/callback.js

@@ -4,7 +4,7 @@
  */
 const tokenService = require('../helpers/jwt')
 const parseUrl = require('url').parse
-const { hasMatch } = require('../helpers/utils')
+const { hasMatch, sanitizeHtml } = require('../helpers/utils')
 const oAuthState = require('../helpers/oauth-state')
 const logger = require('../logger')
 
@@ -40,7 +40,7 @@ module.exports = function callback (req, res, next) {
         <head>
             <meta charset="utf-8" />
             <script>
-              window.opener.postMessage({token: "${uppyAuthToken}"}, "${origin}")
+              window.opener.postMessage({token: "${uppyAuthToken}"}, "${sanitizeHtml(origin)}")
               window.close()
             </script>
         </head>

packages/@uppy/companion/src/server/helpers/utils.js

@@ -32,6 +32,15 @@ exports.jsonStringify = (data) => {
   })
 }
 
+/**
+ * Does a simple html sanitization on the passed value
+ *
+ * @param {string} text
+ */
+exports.sanitizeHtml = (text) => {
+  return text.replace(/<\/?[^>]+(>|$)/g, '')
+}
+
 /**
  * Gets the size and content type of a url's content
  *