From e014a207efd2d639797688b5f0e48a90aad92bba Mon Sep 17 00:00:00 2001
From: CalDescent <caldescent@protonmail.com>
Date: Wed, 3 May 2023 19:28:26 +0100
Subject: [PATCH] Escape all vars added by HTML parser

---
 src/main/java/org/qortal/api/HTMLParser.java | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/main/java/org/qortal/api/HTMLParser.java b/src/main/java/org/qortal/api/HTMLParser.java
index 03cdb066..2bf8947d 100644
--- a/src/main/java/org/qortal/api/HTMLParser.java
+++ b/src/main/java/org/qortal/api/HTMLParser.java
@@ -55,12 +55,15 @@ public class HTMLParser {
             }
 
             // Escape and add vars
+            String qdnContext = this.qdnContext != null ? this.qdnContext.replace("\"","\\\"") : "";
             String service = this.service.toString().replace("\"","\\\"");
             String name = this.resourceId != null ? this.resourceId.replace("\"","\\\"") : "";
             String identifier = this.identifier != null ? this.identifier.replace("\"","\\\"") : "";
             String path = this.path != null ? this.path.replace("\"","\\\"") : "";
             String theme = this.theme != null ? this.theme.replace("\"","\\\"") : "";
-            String qdnContextVar = String.format("<script>var _qdnContext=\"%s\"; var _qdnTheme=\"%s\"; var _qdnService=\"%s\"; var _qdnName=\"%s\"; var _qdnIdentifier=\"%s\"; var _qdnPath=\"%s\"; var _qdnBase=\"%s\"; var _qdnBaseWithPath=\"%s\";</script>", this.qdnContext, theme, service, name, identifier, path, this.qdnBase, this.qdnBaseWithPath);
+            String qdnBase = this.qdnBase != null ? this.qdnBase.replace("\"","\\\"") : "";
+            String qdnBaseWithPath = this.qdnBaseWithPath != null ? this.qdnBaseWithPath.replace("\"","\\\"") : "";
+            String qdnContextVar = String.format("<script>var _qdnContext=\"%s\"; var _qdnTheme=\"%s\"; var _qdnService=\"%s\"; var _qdnName=\"%s\"; var _qdnIdentifier=\"%s\"; var _qdnPath=\"%s\"; var _qdnBase=\"%s\"; var _qdnBaseWithPath=\"%s\";</script>", qdnContext, theme, service, name, identifier, path, qdnBase, qdnBaseWithPath);
             head.get(0).prepend(qdnContextVar);
 
             // Add base href tag