From c44d3d7a7e9e9e3abf5a8129d8cded5336102155 Mon Sep 17 00:00:00 2001
From: Risto Lahtela <24460436+Rsl1122@users.noreply.github.com>
Date: Sun, 24 Jan 2021 11:14:06 +0200
Subject: [PATCH] Prevented a future accidental XSS vulnerability in Register
 endpoint error

The username parameter was passed to an exception that is currently turned into
json, but in the future the way this exception is handled could have changed.
---
 .../delivery/webserver/resolver/auth/RegisterResolver.java    | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java
index bca0bc2bb..3b7ce4154 100644
--- a/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java
+++ b/Plan/common/src/main/java/com/djrapitops/plan/delivery/webserver/resolver/auth/RegisterResolver.java
@@ -35,7 +35,7 @@ import java.util.Optional;
 @Singleton
 public class RegisterResolver implements NoAuthResolver {
 
-    private DBSystem dbSystem;
+    private final DBSystem dbSystem;
 
     @Inject
     public RegisterResolver(DBSystem dbSystem) {this.dbSystem = dbSystem;}
@@ -58,7 +58,7 @@ public class RegisterResolver implements NoAuthResolver {
         String username = query.get("user").orElseThrow(() -> new BadRequestException("'user' parameter not defined"));
 
         boolean alreadyExists = dbSystem.getDatabase().query(WebUserQueries.fetchUser(username)).isPresent();
-        if (alreadyExists) throw new BadRequestException("User '" + username + "' already exists!");
+        if (alreadyExists) throw new BadRequestException("User already exists!");
 
         String password = query.get("password").orElseThrow(() -> new BadRequestException("'password' parameter not defined"));
         try {