Escape html special chars #656
Conversation
|
When applying this patch I found that login to the web UI fails. |
|
@rwillert looks like you translate the characters to HTML form but do not reverse the translation when the string gets put to use in the backend. For example, It might be better to base64 encode the user input before storing it in the (JSON) backend and base64 decode when retrieving it. The encoding would guarantee to not conflict with JSON backend format. |
| @@ -2,11 +2,11 @@ package router | |||
|
|
|||
| import ( | |||
| "errors" | |||
| "html/template" | |||
There was a problem hiding this comment.
This breaks the application.
I'll open a new pull request building on your work and attributing you with a co-authorship.
There was a problem hiding this comment.
Here is the PR I verified it works well. #673
* Escaping HTML in several places. * Adds PreUp config when one didn't exist. * Adds environment variable support for PreUp and PreDown. closes ngoduykhanh#549 closes ngoduykhanh#655 closes ngoduykhanh#656 See also -------- - samrocketman/addons-homeassistant#9 Co-authored-by: Robert Willert <[email protected]>
"> <script>alert('hello');</script> is working for client values and some other templates...
Using html for templates will make the magic. For JSON data and JS templating this step is custom code.
Maybe also will fix #549 and #655