diff --git a/lensmint-public-server/server.js b/lensmint-public-server/server.js
index 313c3b6..0aff36c 100644
--- a/lensmint-public-server/server.js
+++ b/lensmint-public-server/server.js
@@ -47,7 +47,7 @@ let servicesInitialized = false;
async function initializeServices() {
try {
console.log('🔄 Initializing claim server services...');
-
+
dbService.initialize();
console.log('✅ Database initialized');
@@ -61,11 +61,23 @@ async function initializeServices() {
initializeServices();
+// Utility function to escape HTML characters and prevent XSS
+const escapeHtml = (unsafe) => {
+ if (typeof unsafe !== 'string') return unsafe;
+ return unsafe
+ .replace(/&/g, "&")
+ .replace(//g, ">")
+ .replace(/"/g, """)
+ .replace(/'/g, "'");
+};
+
+// Middleware to protect internal API routes
app.post('/create-claim', (req, res) => {
try {
- const {
- claim_id,
- cid,
+ const {
+ claim_id,
+ cid,
metadata_cid,
device_id,
camera_id,
@@ -82,9 +94,9 @@ app.post('/create-claim', (req, res) => {
}
const claim = dbService.createClaim(
- claim_id,
- null,
- cid,
+ claim_id,
+ null,
+ cid,
metadata_cid || null,
device_id || null,
camera_id || null,
@@ -206,11 +218,11 @@ app.get('/api/metadata/:claim_id', (req, res) => {
app.post('/update-proof-status', (req, res) => {
try {
- const {
- claim_id,
- token_id,
- verification_status,
- proof_tx_hash
+ const {
+ claim_id,
+ token_id,
+ verification_status,
+ proof_tx_hash
} = req.body;
if (!claim_id) {
@@ -243,9 +255,9 @@ app.post('/update-proof-status', (req, res) => {
app.get('/verify/:claim_id', async (req, res) => {
try {
const { claim_id } = req.params;
-
+
const claim = dbService.getClaim(claim_id);
-
+
if (!claim) {
return res.status(404).send(`
@@ -260,7 +272,7 @@ app.get('/verify/:claim_id', async (req, res) => {
Claim Not Found
- The claim ID "${claim_id}" does not exist.
+ The claim ID "${escapeHtml(claim_id)}" does not exist.