diff --git a/providers/class-two-factor-totp.php b/providers/class-two-factor-totp.php
index 19e29e62..570ceeb0 100644
--- a/providers/class-two-factor-totp.php
+++ b/providers/class-two-factor-totp.php
@@ -151,13 +151,32 @@ public function user_two_factor_options( $user ) {
if ( empty( $key ) ) :
$key = $this->generate_key();
$site_name = get_bloginfo( 'name', 'display' );
+
+ // Must follow TOTP format for a "label":
+ // https://github.com/google/google-authenticator/wiki/Key-Uri-Format#label
+ // Do not URL encode, that will be done later.
$totp_title = apply_filters( 'two_factor_totp_title', $site_name . ':' . $user->user_login, $user );
+
+ $totp_url = add_query_arg(
+ array(
+ 'secret' => rawurlencode( $key ),
+ 'issuer' => rawurlencode( $site_name ),
+ ),
+ 'otpauth://totp/' . rawurlencode( $totp_title )
+ );
+
+ // Must follow TOTP format:
+ // https://github.com/google/google-authenticator/wiki/Key-Uri-Format
+ $totp_url = apply_filters( 'two_factor_totp_url', $totp_url, $user );
+ $totp_url = esc_url( $totp_url, array( 'otpauth' ) );
+
?>
+
-
+
Loading...
; ?>)
@@ -179,21 +198,12 @@ public function user_two_factor_options( $user ) {
* L = Least amount of error correction, because it's not needed when scanning
* on a monitor, and it lowers the image size.
*/
- var qr = qrcode( 0, 'L' );
- var secret = '';
- var label = encodeURI( '' );
- var issuer = encodeURI( '' );
- var url = 'otpauth://totp/' + label + '?secret=' + secret + '&issuer=' + issuer;
- var target = document.querySelector( '#two-factor-qr-code a' );
-
- qr.addData( url );
+ var qr = qrcode( 0, 'L' );
+
+ qr.addData( );
qr.make();
- // ⚠️ Intentionally using GIF here instead of SVG, for security. The benefits
- // of SVG in this situation are minimal, but it would introduce the possibility
- // of malicious JS being injected into the SVG and causing XSS.
- target.href = url;
- target.innerHTML = qr.createImgTag( 5 );
+ document.querySelector( '#two-factor-qr-code a' ).innerHTML = qr.createSvgTag( 5 );
} );