Escape QDN vars and prefix with underscores.

2025-06-07 16:56:59 +00:00 · 2023-03-03 11:57:07 +00:00 · 2023-03-03 11:57:07 +00:00 · b17035c864
commit b17035c864
parent fa14568cb9
2 changed files with 12 additions and 8 deletions
--- a/src/main/java/org/qortal/api/HTMLParser.java
+++ b/src/main/java/org/qortal/api/HTMLParser.java
@ -41,8 +41,12 @@ public class HTMLParser {
            String qAppsScriptElement = String.format("<script src=\"/apps/q-apps.js?time=%d\">", System.currentTimeMillis());
            head.get(0).prepend(qAppsScriptElement);
-            // Add vars
+            // Escape and add vars
-            String qdnContextVar = String.format("<script>var qdnContext=\"%s\"; var qdnService=\"%s\"; var qdnName=\"%s\"; var qdnIdentifier=\"%s\"; var qdnPath=\"%s\";</script>", this.qdnContext, this.service.toString(), this.resourceId, this.identifier, this.path);
+            String service = this.service.toString().replace("\"","\\\"");
            String name = this.resourceId != null ? this.resourceId.replace("\"","\\\"") : "";
            String identifier = this.identifier != null ? this.identifier.replace("\"","\\\"") : "";
            String path = this.path != null ? this.path.replace("\"","\\\"") : "";
            String qdnContextVar = String.format("<script>var _qdnContext=\"%s\"; var _qdnService=\"%s\"; var _qdnName=\"%s\"; var _qdnIdentifier=\"%s\"; var _qdnPath=\"%s\";</script>", this.qdnContext, service, name, identifier, path);
            head.get(0).prepend(qdnContextVar);
            // Add base href tag
--- a/src/main/resources/q-apps/q-apps.js
+++ b/src/main/resources/q-apps/q-apps.js
@ -40,12 +40,12 @@ function handleResponse(event, response) {
 }
 function buildResourceUrl(service, name, identifier, path) {
-    if (qdnContext == "render") {
+    if (_qdnContext == "render") {
        url = "/render/" + service + "/" + name;
        if (path != null) url = url.concat((path.startsWith("/") ? "" : "/") + path);
        if (identifier != null) url = url.concat("?identifier=" + identifier);
    }
-    else if (qdnContext == "gateway") {
+    else if (_qdnContext == "gateway") {
        url = "/" + service + "/" + name;
        if (identifier != null) url = url.concat("/" + identifier);
        if (path != null) url = url.concat((path.startsWith("/") ? "" : "/") + path);
@ -329,10 +329,10 @@ else if (document.attachEvent) {
 document.addEventListener('DOMContentLoaded', () => {
    qortalRequest({
        action: "QDN_RESOURCE_DISPLAYED",
-        service: qdnService,
+        service: _qdnService,
-        name: qdnName,
+        name: _qdnName,
-        identifier: qdnIdentifier,
+        identifier: _qdnIdentifier,
-        path: qdnPath
+        path: _qdnPath
    });
 });