From 00e3d09cc57819226b2cff20d0246595925f6e24 Mon Sep 17 00:00:00 2001
From: Thomas Miceli <27960254+thomiceli@users.noreply.github.com>
Date: Mon, 18 Nov 2024 02:29:05 +0100
Subject: [PATCH] Fix escaping for embed gists (#381)
---
internal/web/gist.go | 33 +++++++++++++++++++++++++++------
1 file changed, 27 insertions(+), 6 deletions(-)
diff --git a/internal/web/gist.go b/internal/web/gist.go
index 68da47ca..f7d35642 100644
--- a/internal/web/gist.go
+++ b/internal/web/gist.go
@@ -4,6 +4,7 @@ import (
"archive/zip"
"bufio"
"bytes"
+ gojson "encoding/json"
"errors"
"fmt"
"html/template"
@@ -428,12 +429,10 @@ func gistJs(ctx echo.Context) error {
return errorRes(500, "Error joining css url", err)
}
- js := `document.write('')
-document.write('%s')
-`
- content := strings.Replace(htmlbuf.String(), `\n`, `\\n`, -1)
- content = strings.Replace(content, "\n", `\n`, -1)
- js = fmt.Sprintf(js, cssUrl, content)
+ js, err := escapeJavaScriptContent(htmlbuf.String(), cssUrl)
+ if err != nil {
+ return errorRes(500, "Error escaping JavaScript content", err)
+ }
ctx.Response().Header().Set("Content-Type", "application/javascript")
return plainText(ctx, 200, js)
}
@@ -894,3 +893,25 @@ func preview(ctx echo.Context) error {
return plainText(ctx, 200, previewStr)
}
+
+func escapeJavaScriptContent(htmlContent, cssUrl string) (string, error) {
+ jsonContent, err := gojson.Marshal(htmlContent)
+ if err != nil {
+ return "", fmt.Errorf("failed to encode content: %w", err)
+ }
+
+ jsonCssUrl, err := gojson.Marshal(cssUrl)
+ if err != nil {
+ return "", fmt.Errorf("failed to encode CSS URL: %w", err)
+ }
+
+ js := fmt.Sprintf(`
+ document.write('');
+ document.write(%s);
+ `,
+ string(jsonCssUrl),
+ string(jsonContent),
+ )
+
+ return js, nil
+}