From 4d6edff169f3d3f2772ccfd64fa13dd9711d326b Mon Sep 17 00:00:00 2001
From: Nariman Jelveh <n.jelveh@gmail.com>
Date: Wed, 17 Jul 2024 18:32:02 -0700
Subject: [PATCH] Escape arguments passed to dev-center

---
 src/dev-center/js/dev-center.js | 11 +++++------
 1 file changed, 5 insertions(+), 6 deletions(-)

diff --git a/src/dev-center/js/dev-center.js b/src/dev-center/js/dev-center.js
index 5a677f3f1..7eb326391 100644
--- a/src/dev-center/js/dev-center.js
+++ b/src/dev-center/js/dev-center.js
@@ -62,21 +62,20 @@ if(domain === 'puter.localhost'){
     static_hosting_domain = 'site.puter.localhost';
 }
 
-// port
+// add port to static_hosting_domain if provided
 if (URLParams.has('puter.port') && URLParams.get('puter.port')) {
-    static_hosting_domain = static_hosting_domain + `:` + URLParams.get('puter.port');
+    static_hosting_domain = static_hosting_domain + `:` + html_encode(URLParams.get('puter.port'));
 }
 
 // protocol
 let protocol = 'https';
-if (URLParams.has('puter.protocol')) {
-    protocol = URLParams.get('puter.protocol');
-}
+if (URLParams.has('puter.protocol') && URLParams.get('puter.protocol') === 'http')
+    protocol = 'http';
 
 // port
 let port = '';
 if (URLParams.has('puter.port') && URLParams.get('puter.port')) {
-    port = URLParams.get('puter.port');
+    port = html_encode(URLParams.get('puter.port'));
 }
 
 $(document).ready(function () {