add link to otpauth url - fixup into main commit

WordPress · Nov 8, 2022 · 68ed4f2 · 68ed4f2
1 parent 0f38c2a
commit 68ed4f2
Showing 1 changed file with 10 additions and 3 deletions.
diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
@@ -152,10 +152,15 @@ public function user_two_factor_options( $user ) {
 			<p>
 				<?php esc_html_e( 'Please scan the QR code or manually enter the key, then enter an authentication code from your app in order to complete setup.', 'two-factor' ); ?>
 			</p>
-			<p id="two-factor-qr-placeholder"></p>
+			<p id="two-factor-qr-code">
+				<a>
+					Loading...
+					<img src="<?php echo admin_url('images/spinner.gif'); ?>" alt="" />
+				</a>
+			</p>
 
 			<style>
-				#two-factor-qr-placeholder {
+				#two-factor-qr-code {
 					/* The size of the image will change based on the length of the URL inside it. */
 					min-width: 205px;
 					min-height: 205px;
@@ -175,14 +180,16 @@ public function user_two_factor_options( $user ) {
 					var label  = encodeURI( '<?php echo esc_js( $totp_title ); ?>' );
 					var issuer = encodeURI( '<?php echo esc_js( $site_name ); ?>' );
 					var url    = 'otpauth://totp/' + label + '?secret=' + secret + '&issuer=' + issuer;
+					var target = document.querySelector( '#two-factor-qr-code a' );
 
 					qr.addData( url );
 					qr.make();
 
 					// ⚠️ Intentionally using GIF here instead of SVG, for security. The benefits
 					// of SVG in this situation are minimal, but it would introduce the possibility
 					// of malicious JS being injected into the SVG and causing XSS.
-					document.getElementById( 'two-factor-qr-placeholder' ).innerHTML = qr.createImgTag( 5 );
+					target.href      = url;
+					target.innerHTML = qr.createImgTag( 5 );
 				} );
 			</script>