From fdc36c8e3c4d1e5a2210cf9e08700ccfd435630d Mon Sep 17 00:00:00 2001 From: Eva Ho Date: Mon, 17 Nov 2025 15:08:19 -0500 Subject: [PATCH] app: use JSON encoding for path parameters in deeplink URL handlers --- app/cmd/app/webview.go | 12 ++++++++++-- app/webview/webview.h | 7 ++++++- 2 files changed, 16 insertions(+), 3 deletions(-) diff --git a/app/cmd/app/webview.go b/app/cmd/app/webview.go index 9332f10b4..796eb095a 100644 --- a/app/cmd/app/webview.go +++ b/app/cmd/app/webview.go @@ -466,9 +466,17 @@ func (w *Webview) Run(path string) unsafe.Pointer { w.webview = wv w.webview.Navigate(url) } else { + // marshal to JSON string first to ensure it's properly escaped + pathJSON, err := json.Marshal(path) + if err != nil { + slog.Error("failed to encode path for navigation", "path", path, "error", err) + showWindow(w.webview.Window()) + return w.webview.Window() + } + w.webview.Eval(fmt.Sprintf(` - history.pushState({}, '', '%s'); - `, path)) + history.pushState({}, '', %s); + `, pathJSON)) showWindow(w.webview.Window()) } diff --git a/app/webview/webview.h b/app/webview/webview.h index 0a14f380e..40ebd3261 100644 --- a/app/webview/webview.h +++ b/app/webview/webview.h @@ -2978,7 +2978,12 @@ public: } } - std::string js = "history.pushState({}, '', '" + path + "'); window.dispatchEvent(new PopStateEvent('popstate'));"; + // Safely encode the path for JavaScript using JSON encoding + // This handles all special characters: quotes, newlines, backslashes, etc. + // json_escape adds quotes around the string and escapes all special chars + std::string path_json = detail::json_escape(path, true); + + std::string js = "history.pushState({}, '', " + path_json + "); window.dispatchEvent(new PopStateEvent('popstate'));"; std::wstring wjs = widen_string(js); sender->ExecuteScript(wjs.c_str(), nullptr); } else {