-
Notifications
You must be signed in to change notification settings - Fork 159
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Generate QR codes locally with JS #487
Conversation
39497c3
to
0f38c2a
Compare
Additionally, It would be worth changing this from just a QR image, to also linking to the otpauth url. Ie. -<p id="two-factor-qr-placeholder">QR</p>
+<a id="two-factor-qr-placeholder" href="otpauth://....">QR</a> I've tested this on mobile and desktop, and works as expected with FreeOTP, Yubico Authenticator, and the Apple Password Manager. |
That's a good idea, done in 68ed4f2 |
Co-authored-by: Dion Hulse <dion@wordpress.org>
6f33e71
to
8e01621
Compare
<p> | ||
<img src="<?php echo esc_url( $this->get_google_qr_code( $totp_title, $key, $site_name ) ); ?>" id="two-factor-totp-qrcode" /> | ||
<p id="two-factor-qr-code"> | ||
<a href="<?php echo $totp_url; ?>"> |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be escaped with esc_url()
.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It is escaped above (same w/ the other). Normally I'd escape as late as possible, but this one needs the extra param for the otpauth
protocol, which would make those echo
s fairly long and less readable, and duplicated instead of DRY.
I don't feel strongly either way though. I'm happy to change it if you'd prefer.
Fixes #42
Closes #388 - This is an alternate approach, which addresses the concerns I raised there.
Closes #443 - There won't be an external URL to filter anymore. This has filters for the local URL, though
I don't think a PHP fallback is needed, since disabling JS is extremely rare, and the manual secret already serves that purpose.