From d7ef10b65e967e73c74cc5a514e274df1b1346df Mon Sep 17 00:00:00 2001
From: ashley <iamashley@duck.com>
Date: Sat, 11 May 2024 02:33:43 +0000
Subject: [PATCH] fix the XSS in user pages

---
 src/libpoketube/init/pages-account.js | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/libpoketube/init/pages-account.js b/src/libpoketube/init/pages-account.js
index 9cb65b4e..253eb6cb 100644
--- a/src/libpoketube/init/pages-account.js
+++ b/src/libpoketube/init/pages-account.js
@@ -104,10 +104,17 @@ app.get("/account-create", async function (req, res) {
     }
 });
 
-  app.get("/my-acc", async function (req, res) {
-        var userid = req.query.ID
-       var userSubs =  db.get(`user.${userid}.subs`)
-       renderTemplate(res, req, "account-me.ejs", { userid, userSubs });
+app.get("/my-acc", async function (req, res) {
+    var userid = req.query.ID;
 
+    // Check if userid is more than 6 characters
+    if (userid.length > 6) {
+        return res.status(400).json({ error: "IDs can be 6 characters max" });
+    }
+
+    var userSubs =  db.get(`user.${userid}.subs`);
+
+    renderTemplate(res, req, "account-me.ejs", { userid, userSubs });
 });
+
 };