liz/PluralKit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix(dashboard): escape HTML in opengraph embeds

Browse Source
This commit is contained in:
spiral
2022-06-05 14:29:44 -04:00
parent 2463c20cba
commit 1b2dcdb26d
1 changed files with 5 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
dashboard/main.go
View File

@@ -4,6 +4,7 @@ import (
"embed"
"encoding/json"
"fmt"
"html"
"io"
"net/http"
"strings"
@@ -120,17 +121,17 @@ func createEmbed(rw http.ResponseWriter, r *http.Request) {
text := fmt.Sprintf(`<link type="application/json+oembed" href="%s/%s/oembed.json" />%s`, baseURL, path, "\n")
if data.AvatarURL != nil {
text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, *data.AvatarURL, "\n")
text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, html.EscapeString(*data.AvatarURL), "\n")
} else if data.IconURL != nil {
text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, *data.IconURL, "\n")
text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, html.EscapeString(*data.IconURL), "\n")
}
if data.Description != nil {
text += fmt.Sprintf(`<meta content="%s" property="og:description">%s`, *data.Description, "\n")
text += fmt.Sprintf(`<meta content="%s" property="og:description">%s`, html.EscapeString(*data.Description), "\n")
}
if data.Color != nil {
text += fmt.Sprintf(`<meta name="theme-color" content="#%s">%s`, *data.Color, "\n")
text += fmt.Sprintf(`<meta name="theme-color" content="#%s">%s`, html.EscapeString(*data.Color), "\n")
}
html, err := fs.ReadFile("dist/index.html")