Conversation
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
|
Deployment failed with the following error: Learn More: https://vercel.com/docs/concepts/projects/project-configuration |
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
Codex Review: Here are some suggestions.
Reply with @codex fix comments to fix any unresolved comments.
About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you open a pull request for review, mark a draft as ready, or comment "@codex review". If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex fix this CI failure" or "@codex address that feedback".
| const query = (req as any).query || {}; | ||
| const market = typeof query.market === 'string' ? (query.market as string) : undefined; | ||
| const { title, description, image } = getMarketMeta(market); | ||
|
|
||
| const headTags = `\n <meta property="og:title" content="${title}" />\n <meta property="og:image" content="${image}" />\n <meta name="description" content="${description}" />\n <meta property="og:description" content="${description}" />\n `; | ||
|
|
There was a problem hiding this comment.
[P1] Escape market query before injecting meta tags
The handler writes the market query string directly into the OG title/description meta tags without any escaping, so a crafted URL like /trade?market=%22%3E<script>alert(1)</script> will inject arbitrary HTML/JS into the returned page head. That exposes both users and crawlers that fetch the URL to XSS. The values should be sanitized or restricted to a whitelist before interpolating them into the HTML.
Useful? React with 👍 / 👎.
| import { DEFAULT_LOGO, MARKETS_FULL_LOGOS } from "../constants/markets"; | ||
|
|
||
| export interface MarketMeta { | ||
| title: string; | ||
| description: string; | ||
| image: string; | ||
| } | ||
|
|
||
| export function getMarketMeta(encodedMarket?: string): MarketMeta { | ||
| const marketKey = encodedMarket ?? ""; | ||
| const title = marketKey ? decodeURIComponent(marketKey) : "Overlay Markets"; | ||
| const image = MARKETS_FULL_LOGOS[marketKey] ?? DEFAULT_LOGO; | ||
| const description = `Trade ${title} on Overlay Markets`; |
There was a problem hiding this comment.
[P1] API bundles front‑end image modules into Node function
The serverless /trade endpoint pulls getMarketMeta, which imports MARKETS_FULL_LOGOS that in turn imports numerous .webp assets via Vite loaders. Vercel’s Node builder does not understand image module imports, so bundling the function will fail with an unknown file extension error and the endpoint won’t respond. Server code should reference plain URLs or move the mapping to JSON rather than importing client-only asset modules.
Useful? React with 👍 / 👎.
|
Deployment failed with the following error: Learn More: https://vercel.com/docs/concepts/projects/project-configuration |
1 participant
Summary
Testing
pnpm lint(fails: Unexpected any, no-extra-semi, etc.)pnpm buildhttps://chatgpt.com/codex/tasks/task_e_68bae0198988832e9251100936b9aa11