From 39a8078b34ec4b0c55de8189cffc717748d124a7 Mon Sep 17 00:00:00 2001
From: Jaden-JJH <73709050+Jaden-JJH@users.noreply.github.com>
Date: Tue, 3 Mar 2026 00:00:56 +0900
Subject: [PATCH 1/4] fix: Unsafe Formatstring (CWE-134)

---
 examples/search/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/search/index.js b/examples/search/index.js
index b995b8fab16..5d97ba6c9a3 100644
--- a/examples/search/index.js
+++ b/examples/search/index.js
@@ -54,7 +54,7 @@ app.get('/search/{:query}', function (req, res, next) {
   db.sMembers(query)
     .then((vals) => res.send(vals))
     .catch((err) => {
-      console.error(`Redis error for query "${query}":`, err);
+      console.error('Redis error for query:', JSON.stringify(query), err);
       next(err);
     });
 });

From 6513639524cc515ddf89e558020b6a874a97f1fb Mon Sep 17 00:00:00 2001
From: Jaden-JJH <73709050+Jaden-JJH@users.noreply.github.com>
Date: Tue, 3 Mar 2026 00:00:57 +0900
Subject: [PATCH 2/4] fix: Express Cookie Session No Httponly (CWE-522),
 Express Cookie Session No Secure (CWE-522), Express Cookie Session Default
 Name (CWE-522), Express Cookie Session No Domain (CWE-522), Express Session
 Hardcoded Secret (CWE-798), Express Cookie Session No Expires (CWE-522),
 Express Cookie Session No Path (CWE-522)

---
 examples/auth/index.js | 17 +++++++++++++++--
 1 file changed, 15 insertions(+), 2 deletions(-)

diff --git a/examples/auth/index.js b/examples/auth/index.js
index 40b73e6de16..1374221177b 100644
--- a/examples/auth/index.js
+++ b/examples/auth/index.js
@@ -20,10 +20,23 @@ app.set('views', path.join(__dirname, 'views'));
 
 app.use(express.urlencoded())
 app.use(session({
+  name: 'sessionId', // Custom session cookie name
+  resave: false, // don't save session if unmodified
+  app.use(session({
   resave: false, // don't save session if unmodified
   saveUninitialized: false, // don't create session until something stored
-  secret: 'shhhh, very secret'
-}));
+  cookie: {
+    maxAge: 24 * 60 * 60 * 1000, // 24 hours in milliseconds
+    httpOnly: true, // prevent XSS attacks
+    secure: process.env.NODE_ENV === 'production', // HTTPS only in production
+    sameSite: 'strict' // CSRF protection
+  }
+    cookie: {
+      domain: 'yourdomain.com', // Set specific domain
+      secure: true, // Use HTTPS only
+      httpOnly: true, // Prevent XSS
+      maxAge: 24 * 60 * 60 * 1000 // 24 hours
+    }
 
 // Session-persisted message middleware
 

From d7abb79d744cbb22aa281e9b182d31ab473021ca Mon Sep 17 00:00:00 2001
From: Jaden-JJH <73709050+Jaden-JJH@users.noreply.github.com>
Date: Tue, 3 Mar 2026 00:00:58 +0900
Subject: [PATCH 3/4] fix: Template Explicit Unescape (CWE-79)

---
 examples/auth/views/login.ejs | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/examples/auth/views/login.ejs b/examples/auth/views/login.ejs
index 181c36caf7a..dbe181d7f9a 100644
--- a/examples/auth/views/login.ejs
+++ b/examples/auth/views/login.ejs
@@ -2,7 +2,7 @@
 <%- include('head', { title: 'Authentication Example' }) -%>
 
 <h1>Login</h1>
-<%- message %>
+<%= message %>
 Try accessing <a href="/restricted">/restricted</a>, then authenticate with "tj" and "foobar".
 <form method="post" action="/login">
   <p>

From 33b1afac9b51cd6a0cc91df8817094d240a4278a Mon Sep 17 00:00:00 2001
From: Jaden-JJH <73709050+Jaden-JJH@users.noreply.github.com>
Date: Tue, 3 Mar 2026 00:00:59 +0900
Subject: [PATCH 4/4] fix: Direct Response Write (CWE-79)

---
 examples/params/index.js | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/examples/params/index.js b/examples/params/index.js
index 11eef51a592..5353ba6d7cf 100644
--- a/examples/params/index.js
+++ b/examples/params/index.js
@@ -63,9 +63,13 @@ app.get('/user/:user', function (req, res) {
 app.get('/users/:from-:to', function (req, res) {
   var from = req.params.from;
   var to = req.params.to;
-  var names = users.map(function(user){ return user.name; });
-  res.send('users ' + names.slice(from, to + 1).join(', '));
-});
+  var to = parseInt(req.params.to, 10);
+  var from = parseInt(req.params.from, 10);
+  var names = users.map(function(user){ return escapeHtml(user.name); });
+  res.json({ message: 'users', users: names.slice(from, to + 1) });
+
+  // Or using template rendering:
+  // res.render('users', { users: names.slice(from, to + 1) });
 
 /* istanbul ignore next */
 if (!module.parent) {