fix(dashboard): escape HTML in opengraph embeds

This commit is contained in:
spiral 2022-06-05 14:29:44 -04:00
parent 2463c20cba
commit 1b2dcdb26d
No known key found for this signature in database
GPG Key ID: 244A11E4B0BCF40E

View File

@ -4,6 +4,7 @@ import (
"embed" "embed"
"encoding/json" "encoding/json"
"fmt" "fmt"
"html"
"io" "io"
"net/http" "net/http"
"strings" "strings"
@ -120,17 +121,17 @@ func createEmbed(rw http.ResponseWriter, r *http.Request) {
text := fmt.Sprintf(`<link type="application/json+oembed" href="%s/%s/oembed.json" />%s`, baseURL, path, "\n") text := fmt.Sprintf(`<link type="application/json+oembed" href="%s/%s/oembed.json" />%s`, baseURL, path, "\n")
if data.AvatarURL != nil { if data.AvatarURL != nil {
text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, *data.AvatarURL, "\n") text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, html.EscapeString(*data.AvatarURL), "\n")
} else if data.IconURL != nil { } else if data.IconURL != nil {
text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, *data.IconURL, "\n") text += fmt.Sprintf(`<meta content='%s' property='og:image'>%s`, html.EscapeString(*data.IconURL), "\n")
} }
if data.Description != nil { if data.Description != nil {
text += fmt.Sprintf(`<meta content="%s" property="og:description">%s`, *data.Description, "\n") text += fmt.Sprintf(`<meta content="%s" property="og:description">%s`, html.EscapeString(*data.Description), "\n")
} }
if data.Color != nil { if data.Color != nil {
text += fmt.Sprintf(`<meta name="theme-color" content="#%s">%s`, *data.Color, "\n") text += fmt.Sprintf(`<meta name="theme-color" content="#%s">%s`, html.EscapeString(*data.Color), "\n")
} }
html, err := fs.ReadFile("dist/index.html") html, err := fs.ReadFile("dist/index.html")