From 592bd1c1d9ccaf132aab37a97f04cbdb36ef2683 Mon Sep 17 00:00:00 2001
From: not-nullptr <needhelpwithrift@gmail.com>
Date: Thu, 14 Nov 2024 09:05:37 +0000
Subject: [PATCH] fix: strange xss vulnerability in theme cookie

---
 src/hooks.server.ts | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/hooks.server.ts b/src/hooks.server.ts
index a847d23..d28c64a 100644
--- a/src/hooks.server.ts
+++ b/src/hooks.server.ts
@@ -1,7 +1,14 @@
 import type { Handle } from "@sveltejs/kit";
 
 export const handle: Handle = async ({ event, resolve }) => {
-	const theme = event.cookies.get("theme") ?? "";
+	let theme = event.cookies.get("theme") ?? "";
+	if (theme !== "dark" && theme !== "light") {
+		event.cookies.set("theme", "", {
+			path: "/",
+			sameSite: "strict",
+		});
+		theme = "";
+	}
 	const res = await resolve(event, {
 		transformPageChunk: ({ html }) => html.replace("%theme%", theme),
 	});