fix: escape QueryParam

service/auth.go

@@ -105,7 +105,9 @@ func HandleDeleteAccountPage(db *sql.DB) http.HandlerFunc {
 
 func HandleSignUpVerifyResponsePage(db *sql.DB) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
+
 		token := r.URL.Query().Get("token")
+
 		if token == "" {
 			utils.DoRedirect(w, r, "/auth/verify")
 			return
@@ -212,7 +214,7 @@ func HandleSignUpComp(db *sql.DB) http.HandlerFunc {
 		}
 
 		// Send verification email as a goroutine
-		go sendVerificationEmail(db, r, userId.String(), email)
+		go sendVerificationEmail(db, userId.String(), email)
 
 		utils.DoRedirect(w, r, "/auth/verify")
 	}
@@ -352,13 +354,13 @@ func HandleVerifyResendComp(db *sql.DB) http.HandlerFunc {
 			return
 		}
 
-		go sendVerificationEmail(db, r, user.Id.String(), user.Email)
+		go sendVerificationEmail(db, user.Id.String(), user.Email)
 
 		w.Write([]byte("<p class=\"mt-8\">Verification email sent</p>"))
 	}
 }
 
-func sendVerificationEmail(db *sql.DB, r *http.Request, userId string, email string) {
+func sendVerificationEmail(db *sql.DB, userId string, email string) {
 
 	var token string
 	err := db.QueryRow("SELECT token FROM user_token WHERE user_uuid = ? AND type = 'email_verify'", userId).Scan(&token)

template/mail/register.templ

@@ -1,6 +1,9 @@
 package mail;
 
-import "me-fit/utils"
+import (
+	"me-fit/utils"
+	"net/url"
+)
 
 templ Register(mailCode string) {
 	<!DOCTYPE html>
@@ -12,7 +15,7 @@ templ Register(mailCode string) {
 		</head>
 		<body>
 			<h4>Thank you for Sign Up!</h4>
-			<p>Click <a href={ templ.URL(utils.BaseUrl + "/auth/verify-email?token=" + mailCode) }>here</a> to verify your account.</p>
+			<p>Click <a href={ templ.URL(utils.BaseUrl + "/auth/verify-email?token=" + url.QueryEscape(mailCode)) }>here</a> to verify your account.</p>
 			<p>Kind regards</p>
 		</body>
 	</html>