Adding pre-auth keys does not work.

[apollo13]

When I try to add a pre-auth key an empty window pops up and nothing happens:

The js console & server logs show no issues.

[iFargle]

Same issue. I'll get it fixed shortly!

[iFargle]

Fixed :) thanks for pointing this out!

[apollo13]

Hi @iFargle, thank you for the fix. I see that you are using + operations to concat strings to construct HTML. An attacker can use this to inject other HTML or Javascript (consider someone setting a user_name to <b>apollo13</b> which would show up as bold). Granted the username per se is a bad example because headscale itself might forbid such usernames. Nevertheless, why open yourself for a potential vulnerability in a security sensitive UI. If you were to use Jinja for templating with escaping enabled you'd at least fix 90% of such issues.

[iFargle]

Interesting...
I'm very new to programming. I'll take all the help I can get! I'll look into this. If I can figure it out I'll push some fixes. Thank you!

[apollo13]

That is a great attitude! Feel free to tag me on PR where you want some reviews, I cannot always answer in a timely manner but I'll try 😊

…

On Sun, Mar 5, 2023, at 01:20, Albert Copeland wrote: Interesting... I'm very new to programming. I'll take all the help I can get! I'll look into this. If I can figure it out I'll push some fixes. Thank you! — Reply to this email directly, view it on GitHub <#38 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAAT5C4IP3PGAK3DKDO5SMDW2PL35ANCNFSM6AAAAAAVOZ6NLA>. You are receiving this because you authored the thread.Message ID: ***@***.***>