From 7a086096dbc068e0a994bb77026eab66971f19cf Mon Sep 17 00:00:00 2001 From: Ales Verbic Date: Wed, 24 Jul 2024 11:50:55 -0400 Subject: [PATCH] fix: potentially unsafe quoting (#232) Signed-off-by: Ales Verbic --- api/api.go | 4 ++-- output/push/qr_generator.go | 43 ++++++++++++++++++------------------- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/api/api.go b/api/api.go index e88db84..319cf7d 100644 --- a/api/api.go +++ b/api/api.go @@ -85,8 +85,8 @@ func (a *APIv1) Engine() *gin.Engine { // @contact.url https://blinklabs.io // @contact.email support@blinklabs.io -// @license.name Apache 2.0 -// @license.url http://www.apache.org/licenses/LICENSE-2.0.html +// @license.name Apache 2.0 +// @license.url http://www.apache.org/licenses/LICENSE-2.0.html func (a *APIv1) Start() error { address := fmt.Sprintf("%s:%d", a.Host, a.Port) // Use buffered channel to not block goroutine diff --git a/output/push/qr_generator.go b/output/push/qr_generator.go index ab66979..9fd4347 100644 --- a/output/push/qr_generator.go +++ b/output/push/qr_generator.go @@ -4,7 +4,6 @@ import ( "encoding/json" "fmt" "net/http" - "text/template" "github.com/gin-gonic/gin" ) @@ -15,9 +14,10 @@ type QRValue struct { func generateQRPage(apiEndpoint string) gin.HandlerFunc { return func(c *gin.Context) { - apiEndpoint := c.Request.Host + apiEndpoint + fullApiEndpoint := c.Request.Host + apiEndpoint + // Create QRValue and marshal to JSON qrValue, err := json.Marshal(QRValue{ - ApiEndpoint: apiEndpoint, + ApiEndpoint: fullApiEndpoint, }) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{ @@ -26,40 +26,39 @@ func generateQRPage(apiEndpoint string) gin.HandlerFunc { return } - qrValueEscaped := template.JSEscapeString(string(qrValue)) - + // Generate HTML content htmlContent := fmt.Sprintf(` - - - QR Code - - + + + QR Code + +
-

Scan QR code with Adder Mobile to connect to the Adder Server on %s

- +

Scan QR code with Adder Mobile to connect to the Adder Server on %s

+
- `, apiEndpoint, qrValueEscaped) + `, fullApiEndpoint, qrValue) c.Data(http.StatusOK, "text/html; charset=utf-8", []byte(htmlContent)) }