Sanitize guild_id in HTTP responses to prevent potential XSS attacks

[ihasTaco]

In the current implementation of ServerQuery, the guild_id is included directly in HTTP responses without being sanitized first. While guild_id is provided by the Discord API and not user-inputted, it is included in URLs and could potentially be manipulated.

This could pose a potential risk for Cross-Site Scripting (XSS) attacks, where an attacker tricks a user into clicking a malicious link that includes a script in the guild_id.

To resolve this issue, we need to sanitize guild_id before including it in HTTP responses. This can be done using a library such as escape-html or validator.

Steps to Reproduce:

• Make a GET request to the /api/get/bot/:guild_id/servers endpoint with an invalid guild_id.
• Observe the HTTP response. (in this case it seems that the guild_id is being sanitized and converted to a string, but to be doubly sure, I want to add sanitization to all endpoint variables, just in case)

Expected Outcome: The guild_id in the HTTP response should be sanitized and not pose any risk for XSS attacks.

Actual Outcome: The guild_id is included directly in the HTTP response without being sanitized, potentially posing a risk for XSS attacks.

Suggested Fix: Use a library like escape-html to sanitize guild_id before including it in HTTP responses.

Relevant Example Code Snippet: See getRoutes.js

router.get('/:guild_id/servers', function(req, res) {
    const { guild_id } = req.params;
    // ...
    res.status(404).send(`No servers found for guild ID: ${guild_id}`);
    // ...
});

• [ ] https://github.com/ihasTaco/ServerQuery/security/code-scanning/37