fix(core): shortlink exploit (#1829)

* fix(core): shortlink exploit

* bump

Author: davidvitora

build/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botpress",
-  "version": "12.31.7",
+  "version": "12.31.8",
   "description": "The world's most powerful conversational engine",
   "main": "index.js",
   "bin": "index.js",

package.json

@@ -1,6 +1,6 @@
 {
   "name": "bp_main",
-  "version": "12.31.7",
+  "version": "12.31.8",
   "description": "The world's most powerful conversational engine",
   "engines": {
     "node": "^12"

packages/bp/package.json

@@ -1,6 +1,6 @@
 {
   "name": "botpress",
-  "version": "12.31.7",
+  "version": "12.31.8",
   "description": "The world's most powerful conversational engine",
   "engines": {
     "node": "^12"

packages/bp/src/core/routers/shortlinks.ts

@@ -19,7 +19,8 @@ export class ShortLinksRouter extends CustomRouter {
       let link = name && this.shortlinks.get(name)
 
       if (!link) {
-        return res.status(404).send(`Shortlink "${name}" not registered`)
+        // Sanatize name
+        return res.status(404).send(`Shortlink "${name.replace(/</g, '&lt;').replace(/>/g, '&gt;')}" not registered`)
       }
 
       const query = qs.stringify(req.query)