From 00e3d09cc57819226b2cff20d0246595925f6e24 Mon Sep 17 00:00:00 2001 From: Thomas Miceli <27960254+thomiceli@users.noreply.github.com> Date: Mon, 18 Nov 2024 02:29:05 +0100 Subject: [PATCH] Fix escaping for embed gists (#381) --- internal/web/gist.go | 33 +++++++++++++++++++++++++++------ 1 file changed, 27 insertions(+), 6 deletions(-) diff --git a/internal/web/gist.go b/internal/web/gist.go index 68da47ca..f7d35642 100644 --- a/internal/web/gist.go +++ b/internal/web/gist.go @@ -4,6 +4,7 @@ import ( "archive/zip" "bufio" "bytes" + gojson "encoding/json" "errors" "fmt" "html/template" @@ -428,12 +429,10 @@ func gistJs(ctx echo.Context) error { return errorRes(500, "Error joining css url", err) } - js := `document.write('') -document.write('%s') -` - content := strings.Replace(htmlbuf.String(), `\n`, `\\n`, -1) - content = strings.Replace(content, "\n", `\n`, -1) - js = fmt.Sprintf(js, cssUrl, content) + js, err := escapeJavaScriptContent(htmlbuf.String(), cssUrl) + if err != nil { + return errorRes(500, "Error escaping JavaScript content", err) + } ctx.Response().Header().Set("Content-Type", "application/javascript") return plainText(ctx, 200, js) } @@ -894,3 +893,25 @@ func preview(ctx echo.Context) error { return plainText(ctx, 200, previewStr) } + +func escapeJavaScriptContent(htmlContent, cssUrl string) (string, error) { + jsonContent, err := gojson.Marshal(htmlContent) + if err != nil { + return "", fmt.Errorf("failed to encode content: %w", err) + } + + jsonCssUrl, err := gojson.Marshal(cssUrl) + if err != nil { + return "", fmt.Errorf("failed to encode CSS URL: %w", err) + } + + js := fmt.Sprintf(` + document.write(''); + document.write(%s); + `, + string(jsonCssUrl), + string(jsonContent), + ) + + return js, nil +}