From 88dbc75f5dd14d488d8822ba82012a11f4605886 Mon Sep 17 00:00:00 2001
From: Skylar Ittner <admin@netsyms.com>
Date: Sat, 9 Dec 2017 22:34:01 -0700
Subject: [PATCH] Add Base32 validation, better URL entity decoding

---
 www/views/addotp.html | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/www/views/addotp.html b/www/views/addotp.html
index 5474320..4a77519 100644
--- a/www/views/addotp.html
+++ b/www/views/addotp.html
@@ -55,6 +55,12 @@
 	    navigator.notification.alert("Missing secret key.", null, "Error", 'Dismiss');
 	    return;
 	}
+        key = key.toUpperCase();
+        /* Thanks to https://stackoverflow.com/a/27362880 for the regex */
+        if (!key.match(/^(?:[A-Z2-7]{8})*(?:[A-Z2-7]{2}={6}|[A-Z2-7]{4}={4}|[A-Z2-7]{5}={3}|[A-Z2-7]{7}=)?$/)) {
+            navigator.notification.alert("Secret key is not valid base32.", null, "Error", 'Dismiss');
+	    return;
+        }
 	if (label == "") {
 	    navigator.notification.alert("Missing label.", null, "Error", 'Dismiss');
 	    return;
@@ -112,6 +118,14 @@
 				    return;
 				}
 			    }
+			    try {
+                                secret = decodeURIComponent(secret);
+				issuer = decodeURIComponent(issuer);
+				label = decodeURIComponent(label);
+			    } catch (e) {
+				navigator.notification.alert("Could not decode OTP URI.", null, "Error", 'Dismiss');
+				return;
+			    }
 			    addOTP(secret, label, issuer);
 			}
 		    },