sec(codeql): fix potential cross-site scripting vulnerability (#427)

nikoksr · Oct 19, 2022 · ce792a2 · ce792a2
1 parent 93a1552
commit ce792a2
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/service/wechat/wechat.go b/service/wechat/wechat.go
@@ -3,6 +3,7 @@ package wechat
 import (
 	"context"
 	"fmt"
+	"html"
 	"net/http"
 	"sync"
 	"time"
@@ -73,7 +74,7 @@ func (s *Service) waitForOneOffVerification(server *http.Server, devMode bool, c
 	http.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
 		query := r.URL.Query()
 
-		echoStr := query.Get("echostr")
+		echoStr := html.EscapeString(query.Get("echostr"))
 		if devMode {
 			if callback != nil {
 				callback(r, true)