fix: Prevent JavaScript injection in fontFamily configuration

koki-develop · claude · koki-develop · commit 3e9babe03745 · 2025-10-04T16:28:20.000+09:00
Fixed a security vulnerability where unescaped fontFamily values could cause JavaScript syntax errors or arbitrary code execution. Now using strconv.Quote to properly escape special characters in font family names. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/internal/ui/update.go b/internal/ui/update.go
@@ -3,6 +3,7 @@ package ui
 import (
 	"fmt"
 	"path/filepath"
+	"strconv"
 	"time"
 
 	"github.com/charmbracelet/bubbles/spinner"
@@ -145,8 +146,8 @@ func (m *Model) setupPage(page *rod.Page) error {
 	}
 
 	// font family
-	if m.config.Settings.FontFamily != nil {
-		if _, err := page.Eval(fmt.Sprintf("() => term.options.fontFamily = '%s'", *m.config.Settings.FontFamily)); err != nil {
+	if ff := m.config.Settings.FontFamily; ff != nil {
+		if _, err := page.Eval(fmt.Sprintf("() => term.options.fontFamily = %s", strconv.Quote(*ff))); err != nil {
 			return err
 		}
 	}

Original file line number	Diff line number	Diff line change
`@@ -3,6 +3,7 @@ package ui`
`3`	`3`	`import (`
`4`	`4`	`"fmt"`
`5`	`5`	`"path/filepath"`
	`6`	`+ "strconv"`
`6`	`7`	`"time"`
`7`	`8`
`8`	`9`	`"github.com/charmbracelet/bubbles/spinner"`
`@@ -145,8 +146,8 @@ func (m Model) setupPage(page rod.Page) error {`
`145`	`146`	`}`
`146`	`147`
`147`	`148`	`// font family`
`148`		`- if m.config.Settings.FontFamily != nil {`
`149`		`- if _, err := page.Eval(fmt.Sprintf("() => term.options.fontFamily = '%s'", *m.config.Settings.FontFamily)); err != nil {`
	`149`	`+ if ff := m.config.Settings.FontFamily; ff != nil {`
	`150`	`+ if _, err := page.Eval(fmt.Sprintf("() => term.options.fontFamily = %s", strconv.Quote(*ff))); err != nil {`
`150`	`151`	`return err`
`151`	`152`	`}`
`152`	`153`	`}`