fix: safe JSON serialization for inline scripts, env-aware template cache

Author: CKodidela

src/controllers/invoices/get-invoice-controller.ts

@@ -3,7 +3,7 @@ import { Request, Response } from 'express'
 import { createSettings } from '../../factories/settings-factory'
 import { FeeSchedule } from '../../@types/settings'
 import { IController } from '../../@types/controllers'
-import { escapeHtml } from '../../utils/html'
+import { escapeHtml, safeJsonForScript } from '../../utils/html'
 import { getTemplate } from '../../utils/template-cache'
 
 
@@ -21,7 +21,7 @@ export class GetInvoiceController implements IController {
       const feeSchedule = path<FeeSchedule>(['payments', 'feeSchedules', 'admission', '0'], settings)
       const page = getTemplate('./resources/get-invoice.html')
         .replaceAll('{{name}}', escapeHtml(name))
-        .replaceAll('{{processor_json}}', JSON.stringify(settings.payments.processor))
+        .replaceAll('{{processor_json}}', safeJsonForScript(settings.payments.processor))
         .replaceAll('{{amount}}', (BigInt(feeSchedule.amount) / 1000n).toString())
         .replaceAll('{{nonce}}', res.locals.nonce)
 

src/controllers/invoices/post-invoice-controller.ts

@@ -3,7 +3,7 @@ import { fromBech32, toBech32 } from '../../utils/transform'
 import { getPublicKey, getRelayPrivateKey } from '../../utils/event'
 import { Request, Response } from 'express'
 
-import { escapeHtml } from '../../utils/html'
+import { escapeHtml, safeJsonForScript } from '../../utils/html'
 import { createLogger } from '../../factories/logger-factory'
 import { getRemoteAddress } from '../../utils/http'
 import { IController } from '../../@types/controllers'
@@ -171,14 +171,14 @@ export class PostInvoiceController implements IController {
       .replaceAll('{{invoice_html}}', escapeHtml(invoice.bolt11))
       .replaceAll('{{pubkey_html}}', escapeHtml(pubkey))
       .replaceAll('{{amount}}', (amount / 1000n).toString())
-      // JS string contexts — JSON.stringify handles all escaping (quotes, backslashes, </script>)
-      .replaceAll('{{reference_json}}', JSON.stringify(invoice.id))
-      .replaceAll('{{relay_url_json}}', JSON.stringify(relayUrl))
-      .replaceAll('{{relay_pubkey_json}}', JSON.stringify(relayPubkey))
-      .replaceAll('{{invoice_json}}', JSON.stringify(invoice.bolt11))
-      .replaceAll('{{pubkey_json}}', JSON.stringify(pubkey))
-      .replaceAll('{{expires_at_json}}', JSON.stringify(expiresAt))
-      .replaceAll('{{processor_json}}', JSON.stringify(currentSettings.payments.processor))
+      // JS contexts — safeJsonForScript serializes and escapes < to prevent </script> injection
+      .replaceAll('{{reference_json}}', safeJsonForScript(invoice.id))
+      .replaceAll('{{relay_url_json}}', safeJsonForScript(relayUrl))
+      .replaceAll('{{relay_pubkey_json}}', safeJsonForScript(relayPubkey))
+      .replaceAll('{{invoice_json}}', safeJsonForScript(invoice.bolt11))
+      .replaceAll('{{pubkey_json}}', safeJsonForScript(pubkey))
+      .replaceAll('{{expires_at_json}}', safeJsonForScript(expiresAt))
+      .replaceAll('{{processor_json}}', safeJsonForScript(currentSettings.payments.processor))
       // nonce is crypto-random base64 — safe in both attribute and script contexts
       .replaceAll('{{nonce}}', response.locals.nonce)
 

src/utils/html.ts

@@ -8,8 +8,17 @@ const HTML_ESCAPES: Record<string, string> = {
 
 /**
  * Escape a string for safe interpolation into HTML text or attribute values.
- * Always use this (or JSON.stringify for JS contexts) on any value before
- * inserting it into an HTML template via string replacement.
  */
 export const escapeHtml = (value: string): string =>
   value.replace(/[&<>"']/g, (ch) => HTML_ESCAPES[ch])
+
+/**
+ * Serialize a value for safe embedding inside an inline <script> block.
+ *
+ * JSON.stringify alone is NOT sufficient: it leaves `<` unescaped, so a value
+ * containing `</script>` would terminate the script block and allow injection.
+ * After serializing, replace every `<` with the Unicode escape `\u003C`, which
+ * is valid JSON and prevents the browser from treating the character as markup.
+ */
+export const safeJsonForScript = (value: unknown): string =>
+  JSON.stringify(value).replace(/</g, '\\u003C')

src/utils/template-cache.ts

@@ -1,17 +1,28 @@
 import { readFileSync } from 'fs'
 
 const cache = new Map<string, string>()
+const isProd = process.env.NODE_ENV === 'production'
 
 /**
  * Return the raw content of a template file.
- * The file is read from disk exactly once; subsequent calls return the cached
- * string without any I/O, keeping template reads off the hot request path.
+ *
+ * In production (NODE_ENV=production) the file is read from disk once and
+ * cached for the lifetime of the process — no per-request I/O. Operators who
+ * edit files under resources/ must restart the process for changes to take
+ * effect.
+ *
+ * Outside of production the cache is bypassed so template edits are reflected
+ * immediately without a restart.
  */
 export const getTemplate = (path: string): string => {
-  let template = cache.get(path)
-  if (template === undefined) {
-    template = readFileSync(path, 'utf8')
-    cache.set(path, template)
+  if (isProd) {
+    let template = cache.get(path)
+    if (template === undefined) {
+      template = readFileSync(path, 'utf8')
+      cache.set(path, template)
+    }
+    return template
   }
-  return template
+
+  return readFileSync(path, 'utf8')
 }