We are implementing a subscriber to the Twitch.tv API. The GitHub Code Scanning system flags it as a CWE-79 and CWE-116 violation.

It suggests escaping the value like this:

response.status(200).send(escape(request.query['hub.challenge']));

Section 5.3.1 Verification Details says that the subscriber MUST respond with a status of 200 and response body equal to the hub.challenge value. It does not offer a format for the hub.challenge value. Escaping it could alter the value in a way that makes it unacceptable to the hub.

I suspect in implementation that it is just a hash, but it is not a part of the spec so cannot be relied on.

Tracking here: michaeljolley/number-one#76