app: use JSON encoding for path parameters in deeplink URL handlers

2025-11-17 15:08:19 -05:00 · 2025-11-17 15:08:19 -05:00 · fdc36c8e3c
parent 231cc878cb
commit fdc36c8e3c
2 changed files with 16 additions and 3 deletions
--- a/app/cmd/app/webview.go
+++ b/app/cmd/app/webview.go
@ -466,9 +466,17 @@ func (w *Webview) Run(path string) unsafe.Pointer {
 		w.webview = wv
 		w.webview.Navigate(url)
 	} else {
+		// marshal to JSON string first to ensure it's properly escaped
+		pathJSON, err := json.Marshal(path)
+		if err != nil {
+			slog.Error("failed to encode path for navigation", "path", path, "error", err)
+			showWindow(w.webview.Window())
+			return w.webview.Window()
+		}
+
 		w.webview.Eval(fmt.Sprintf(`
-			history.pushState({}, '', '%s');
-		`, path))
+			history.pushState({}, '', %s);
+		`, pathJSON))
 		showWindow(w.webview.Window())
 	}

--- a/app/webview/webview.h
+++ b/app/webview/webview.h
@ -2978,7 +2978,12 @@ public:
                }
            }
            
-            std::string js = "history.pushState({}, '', '" + path + "'); window.dispatchEvent(new PopStateEvent('popstate'));";
+            // Safely encode the path for JavaScript using JSON encoding
+            // This handles all special characters: quotes, newlines, backslashes, etc.
+            // json_escape adds quotes around the string and escapes all special chars
+            std::string path_json = detail::json_escape(path, true);
+            
+            std::string js = "history.pushState({}, '', " + path_json + "); window.dispatchEvent(new PopStateEvent('popstate'));";
            std::wstring wjs = widen_string(js);
            sender->ExecuteScript(wjs.c_str(), nullptr);
        } else {