From e4a6ef9ba4fcbf7b40dcfb01714482f7dec71bf1 Mon Sep 17 00:00:00 2001
From: Uwe Steinmann <steinm@debian.org>
Date: Thu, 24 Jul 2025 22:06:37 +0200
Subject: [PATCH] html escape secret

---
 views/bootstrap/class.Setup2Factor.php | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/views/bootstrap/class.Setup2Factor.php b/views/bootstrap/class.Setup2Factor.php
index 45e34e4f3..6426d1592 100644
--- a/views/bootstrap/class.Setup2Factor.php
+++ b/views/bootstrap/class.Setup2Factor.php
@@ -21,6 +21,9 @@
  */
 require "vendor/autoload.php";
 
+use RobThree\Auth\TwoFactorAuth;
+use RobThree\Auth\Providers\Qr\BaconQrCodeProvider;
+
 /**
  * Class which outputs the html page for ForcePasswordChange view
  *
@@ -81,7 +84,8 @@ $(document).ready( function() {
 		$this->columnStart(6);
 		$this->contentHeading(getMLText('2_fact_auth_new_secret'));
 
-		$tfa = new \RobThree\Auth\TwoFactorAuth('SeedDMS: '.$sitename);
+//		$tfa = new \RobThree\Auth\TwoFactorAuth('SeedDMS: '.$sitename);
+		$tfa = new TwoFactorAuth(new BaconQrCodeProvider());
 		$oldsecret = $user->getSecret();
 		$secret = $tfa->createSecret();
 ?>
@@ -99,17 +103,17 @@ $(document).ready( function() {
 			)
 		);
 		$this->formSubmit(getMLText('submit_2_fact_auth'));
+		echo '<div class="control-group"><label class="control-label"></label><div class="controls">';
+		echo '<img src="'.$tfa->getQRCodeImageAsDataUri($user->getLogin(), $secret).'">';
+		echo '</div></div>';
 ?>
-		<div class="control-group"><label class="control-label"></label><div class="controls">
-		<img src="<?php echo $tfa->getQRCodeImageAsDataUri($user->getLogin(), $secret); ?>">
-		</div></div>
 </form>
 <?php
 		if($oldsecret) {
 			$this->columnEnd();
 			$this->columnStart(6);
 			$this->contentHeading(getMLText('2_fact_auth_current_secret'));
-			echo '<div>'.$oldsecret.'</div>';
+			echo '<div>'.htmlspecialchars($oldsecret).'</div>';
 			echo '<div><img src="'.$tfa->getQRCodeImageAsDataUri($sitename, $oldsecret).'"></div>';
 ?>
 <?php
@@ -121,4 +125,3 @@ $(document).ready( function() {
 		$this->htmlEndPage();
 	} /* }}} */
 }
-?>