fix: potentially unsafe quoting (#232)

Signed-off-by: Ales Verbic <verbotenj@blinklabs.io>
blinklabs-io · Jul 24, 2024 · 7a08609 · 7a08609
1 parent 6683d4c
commit 7a08609
Show file tree

Hide file tree

Showing 2 changed files with 23 additions and 24 deletions.
diff --git a/api/api.go b/api/api.go
@@ -85,8 +85,8 @@ func (a *APIv1) Engine() *gin.Engine {
 //	@contact.url	https://blinklabs.io
 //	@contact.email	support@blinklabs.io
 
-//	@license.name	Apache 2.0
-//	@license.url	http://www.apache.org/licenses/LICENSE-2.0.html
+// @license.name	Apache 2.0
+// @license.url	http://www.apache.org/licenses/LICENSE-2.0.html
 func (a *APIv1) Start() error {
 	address := fmt.Sprintf("%s:%d", a.Host, a.Port)
 	// Use buffered channel to not block goroutine

diff --git a/output/push/qr_generator.go b/output/push/qr_generator.go
@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"text/template"
 
 	"github.com/gin-gonic/gin"
 )
@@ -15,9 +14,10 @@ type QRValue struct {
 
 func generateQRPage(apiEndpoint string) gin.HandlerFunc {
 	return func(c *gin.Context) {
-		apiEndpoint := c.Request.Host + apiEndpoint
+		fullApiEndpoint := c.Request.Host + apiEndpoint
+		// Create QRValue and marshal to JSON
 		qrValue, err := json.Marshal(QRValue{
-			ApiEndpoint: apiEndpoint,
+			ApiEndpoint: fullApiEndpoint,
 		})
 		if err != nil {
 			c.JSON(http.StatusInternalServerError, gin.H{
@@ -26,40 +26,39 @@ func generateQRPage(apiEndpoint string) gin.HandlerFunc {
 			return
 		}
 
-		qrValueEscaped := template.JSEscapeString(string(qrValue))
-
+		// Generate HTML content
 		htmlContent := fmt.Sprintf(`
 	<!DOCTYPE html>
 	<html lang="en">
 	<head>
-			<meta charset="UTF-8">
-			<meta name="viewport" content="width=device-width, initial-scale=1.0">
-			<title>QR Code</title>
-			<link href="https://cdn.jsdelivr.net/npm/tailwindcss@2.2.19/dist/tailwind.min.css" rel="stylesheet">
-			<script src="https://cdn.jsdelivr.net/npm/qrious@latest/dist/qrious.min.js"></script>
+		<meta charset="UTF-8">
+		<meta name="viewport" content="width=device-width, initial-scale=1.0">
+		<title>QR Code</title>
+		<link href="https://cdn.jsdelivr.net/npm/tailwindcss@2.2.19/dist/tailwind.min.css" rel="stylesheet">
+		<script src="https://cdn.jsdelivr.net/npm/qrious@latest/dist/qrious.min.js"></script>
 	</head>
 	<body class="bg-gray-100 h-screen flex items-center justify-center">
 		<!-- QR Code Container -->
 		<div class="bg-white p-8 rounded-lg shadow-md text-center">
-				<p class="text-xl mb-4">Scan QR code with Adder Mobile to connect to the Adder Server on <span class="font-semibold">%s</span></p>
-				<canvas id="qrCanvas" class="mx-auto"></canvas>
+			<p class="text-xl mb-4">Scan QR code with Adder Mobile to connect to the Adder Server on <span class="font-semibold">%s</span></p>
+			<canvas id="qrCanvas" class="mx-auto"></canvas>
 		</div>
 	
 		<!-- Generate QR Code using JavaScript -->
 		<script>
-				window.onload = function() {
-						const canvas = document.getElementById('qrCanvas');
-						const qrValue = "%s";
-						const qr = new QRious({
-								element: canvas,
-								value: qrValue,
-								size: 250 
-						});
-				}
+			window.onload = function() {
+				const canvas = document.getElementById('qrCanvas');
+				const qrValue = %s; // Directly embed the JSON object
+				const qr = new QRious({
+					element: canvas,
+					value: JSON.stringify(qrValue),
+					size: 250 
+				});
+			}
 		</script>
 	</body>
 	</html>
-	`, apiEndpoint, qrValueEscaped)
+	`, fullApiEndpoint, qrValue)
 
 		c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(htmlContent))
 	}