From da6964c19afbb24848c997b1d8b1f9995d360791 Mon Sep 17 00:00:00 2001
From: Targunitoth <targunitoth666@web.de>
Date: Thu, 25 Apr 2024 13:51:40 +0200
Subject: [PATCH] Escape the apprise -b parameter

---
 src/util.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/util.js b/src/util.js
index bda3f78..69cbf7a 100644
--- a/src/util.js
+++ b/src/util.js
@@ -116,7 +116,7 @@ export const notify = html => new Promise((resolve, reject) => {
     return resolve();
   }
   // const cmd = `apprise '${cfg.notify}' ${title} -i html -b '${html}'`; // this had problems if e.g. ' was used in arg; could have `npm i shell-escape`, but instead using safer execFile which takes args as array instead of exec which spawned a shell to execute the command
-  const args = [cfg.notify, '-i', 'html', '-b', html];
+  const args = [cfg.notify, '-i', 'html', '-b', `'${html}'`];
   if (cfg.notify_title) args.push(...['-t', cfg.notify_title]);
   if (cfg.debug) console.debug(`apprise ${args.map(a => `'${a}'`).join(' ')}`); // this also doesn't escape, but it's just for info
   execFile('apprise', args, (error, stdout, stderr) => {