fix(web): use JSON.stringify for env var injection in all hooks.server.ts

Prevents potential XSS by safely serializing env values instead of using raw string interpolation. Also creates missing hooks.server.ts for context app and standardizes citycorners to use the same injection pattern. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-05-22 14:06:42 +02:00 · 2026-03-26 14:23:29 +01:00 · 2026-03-26 14:23:29 +01:00 · e676ba6873
commit e676ba6873
parent 8a1cb2dcbb
19 changed files with 101 additions and 63 deletions
--- a/apps/context/apps/web/src/hooks.server.ts
+++ b/apps/context/apps/web/src/hooks.server.ts
@ -0,0 +1,28 @@
+import type { Handle } from '@sveltejs/kit';
+import { injectUmamiAnalytics } from '@manacore/shared-utils/analytics-server';
+import { setSecurityHeaders } from '@manacore/shared-utils/security-headers';
+
+const PUBLIC_MANA_CORE_AUTH_URL_CLIENT =
+	process.env.PUBLIC_MANA_CORE_AUTH_URL_CLIENT || process.env.PUBLIC_MANA_CORE_AUTH_URL || '';
+const PUBLIC_BACKEND_URL_CLIENT =
+	process.env.PUBLIC_BACKEND_URL_CLIENT || process.env.PUBLIC_BACKEND_URL || '';
+const PUBLIC_GLITCHTIP_DSN = process.env.PUBLIC_GLITCHTIP_DSN || '';
+
+export const handle: Handle = async ({ event, resolve }) => {
+	const response = await resolve(event, {
+		transformPageChunk: ({ html }) => {
+			const envScript = `<script>
+window.__PUBLIC_MANA_CORE_AUTH_URL__ = ${JSON.stringify(PUBLIC_MANA_CORE_AUTH_URL_CLIENT)};
+window.__PUBLIC_BACKEND_URL__ = ${JSON.stringify(PUBLIC_BACKEND_URL_CLIENT)};
+window.__PUBLIC_GLITCHTIP_DSN__ = ${JSON.stringify(PUBLIC_GLITCHTIP_DSN)};
+</script>`;
+			return injectUmamiAnalytics(html.replace('<head>', `<head>${envScript}`));
+		},
+	});
+
+	setSecurityHeaders(response, {
+		connectSrc: [PUBLIC_MANA_CORE_AUTH_URL_CLIENT, PUBLIC_BACKEND_URL_CLIENT],
+	});
+
+	return response;
+};