From 7ae340e2eddad641b7e43d24d37c58a66ce9ddcf Mon Sep 17 00:00:00 2001
From: Bereket Engida <bekacru@gmail.com>
Date: Thu, 6 Feb 2025 00:35:36 +0300
Subject: [PATCH] fix(security): santize query param on error page

---
 packages/better-auth/src/api/routes/error.ts | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/packages/better-auth/src/api/routes/error.ts b/packages/better-auth/src/api/routes/error.ts
index 3704a2eca8..da8cb6a01c 100644
--- a/packages/better-auth/src/api/routes/error.ts
+++ b/packages/better-auth/src/api/routes/error.ts
@@ -1,6 +1,15 @@
 import { HIDE_METADATA } from "../../utils/hide-metadata";
 import { createAuthEndpoint } from "../call";
 
+function sanitize(input: string): string {
+	return input
+		.replace(/&/g, "&amp;")
+		.replace(/</g, "&lt;")
+		.replace(/>/g, "&gt;")
+		.replace(/"/g, "&quot;")
+		.replace(/'/g, "&#39;");
+}
+
 const html = (errorCode: string = "Unknown") => `<!DOCTYPE html>
 <html lang="en">
 <head>
@@ -78,7 +87,9 @@ const html = (errorCode: string = "Unknown") => `<!DOCTYPE html>
         <h1>Better Auth Error</h1>
         <p>We encountered an issue while processing your request. Please try again or contact the application owner if the problem persists.</p>
         <a href="/" id="returnLink" class="btn">Return to Application</a>
-        <div class="error-code">Error Code: <span id="errorCode">${errorCode}</span></div>
+        <div class="error-code">Error Code: <span id="errorCode">${sanitize(
+					errorCode,
+				)}</span></div>
     </div>
 </body>
 </html>`;