Fix reflected XSS in /api/vault/meta endpoint (#1129)

murderteeth · claude · web-flow · commit 231ffeb7a5e7 · 2026-03-20T13:51:50.000-04:00
Add strict allowlist validation for chainId and address query parameters
before they are interpolated into HTML. chainId must be numeric and
address must match the 0x-prefixed 40-char hex pattern, otherwise the
request is rejected with a 400. This prevents attackers from breaking
out of meta tag attribute contexts to inject arbitrary HTML/scripts.

Co-authored-by: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/api/vault/meta.ts b/api/vault/meta.ts
@@ -13,6 +13,14 @@ export default async function handler(req: VercelRequest, res: VercelResponse) {
     return res.status(400).json({ error: 'Missing or invalid chainId or address' })
   }
 
+  // Strict allowlist validation to prevent XSS via parameter injection
+  if (!/^\d+$/.test(chainId)) {
+    return res.status(400).json({ error: 'Invalid chainId' })
+  }
+  if (!/^0x[a-fA-F0-9]{40}$/.test(address)) {
+    return res.status(400).json({ error: 'Invalid address' })
+  }
+
   try {
     let html = baseHtml
 
