From ae75fce3ae362c8e69d28c1e966fff02ae8bde4c Mon Sep 17 00:00:00 2001 From: Tim Wundenberg Date: Thu, 12 Sep 2024 22:01:25 +0200 Subject: [PATCH] fix: escape QueryParam --- service/auth.go | 8 +++++--- template/mail/register.templ | 7 +++++-- 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/service/auth.go b/service/auth.go index 6cce269..338e77c 100644 --- a/service/auth.go +++ b/service/auth.go @@ -105,7 +105,9 @@ func HandleDeleteAccountPage(db *sql.DB) http.HandlerFunc { func HandleSignUpVerifyResponsePage(db *sql.DB) http.HandlerFunc { return func(w http.ResponseWriter, r *http.Request) { + token := r.URL.Query().Get("token") + if token == "" { utils.DoRedirect(w, r, "/auth/verify") return @@ -212,7 +214,7 @@ func HandleSignUpComp(db *sql.DB) http.HandlerFunc { } // Send verification email as a goroutine - go sendVerificationEmail(db, r, userId.String(), email) + go sendVerificationEmail(db, userId.String(), email) utils.DoRedirect(w, r, "/auth/verify") } @@ -352,13 +354,13 @@ func HandleVerifyResendComp(db *sql.DB) http.HandlerFunc { return } - go sendVerificationEmail(db, r, user.Id.String(), user.Email) + go sendVerificationEmail(db, user.Id.String(), user.Email) w.Write([]byte("

Verification email sent

")) } } -func sendVerificationEmail(db *sql.DB, r *http.Request, userId string, email string) { +func sendVerificationEmail(db *sql.DB, userId string, email string) { var token string err := db.QueryRow("SELECT token FROM user_token WHERE user_uuid = ? AND type = 'email_verify'", userId).Scan(&token) diff --git a/template/mail/register.templ b/template/mail/register.templ index c8f6a0f..6072314 100644 --- a/template/mail/register.templ +++ b/template/mail/register.templ @@ -1,6 +1,9 @@ package mail; -import "me-fit/utils" +import ( + "me-fit/utils" + "net/url" +) templ Register(mailCode string) { @@ -12,7 +15,7 @@ templ Register(mailCode string) {

Thank you for Sign Up!

-

Click