Fix CRLF issues and escape all special characters

src/placeos-rest-api/controllers/application.cr

@@ -1,6 +1,7 @@
 require "action-controller"
 require "placeos-models"
 require "uuid"
+require "html"
 
 require "../error"
 require "../utilities/*"
@@ -66,15 +67,17 @@ module PlaceOS::Api
         if ref = data[:ref]
           query_params["ref"] = ref
         end
-        response.headers["Link"] = %(<#{route}?#{query_params}>; rel="next")
+
+        link = %(<#{route}?#{query_params}>; rel="next")
+        response.headers["Link"] = HTML.escape(link)
       end
 
       data[:results]
     end
 
     def set_collection_headers(size : Int32, content_type : String)
       response.headers["X-Total-Count"] = size.to_s
-      response.headers["Content-Range"] = "#{content_type} 0-#{size - 1}/#{size}"
+      response.headers["Content-Range"] = HTML.escape("#{content_type} 0-#{size - 1}/#{size}")
     end
 
     getter! search_params : Hash(String, String)
@@ -128,7 +131,7 @@ module PlaceOS::Api
         request_id: request_id
       )
 
-      response.headers["X-Request-ID"] = request_id
+      response.headers["X-Request-ID"] = HTML.escape(request_id)
     end
 
     ###########################################################################

src/placeos-rest-api/controllers/flux.cr

@@ -1,4 +1,5 @@
 require "./application"
+require "html"
 
 module PlaceOS::Api
   class Flux < Application
@@ -16,7 +17,7 @@ module PlaceOS::Api
         "Content-Type" => request_headers["Content-Type"]? || "application/vnd.flux",
       }, body do |result|
         response.status_code = result.status_code
-        response.headers["Content-Type"] = result.headers["Content-Type"]
+        response.headers["Content-Type"] = HTML.escape(result.headers["Content-Type"])
         IO.copy(result.body_io, response)
       end
 

src/placeos-rest-api/controllers/metadata.cr

@@ -1,4 +1,5 @@
 require "promise"
+require "html"
 
 require "./application"
 
@@ -180,7 +181,9 @@ module PlaceOS::Api
         params["offset"] = (range_end + 1).to_s
         params["limit"] = limit.to_s
         path = File.join(base_route, "/#{parent_id}/history")
-        response.headers["Link"] = %(<#{path}?#{query_params}>; rel="next")
+
+        link = %(<#{path}?#{query_params}>; rel="next")
+        response.headers["Link"] = HTML.escape(link)
       end
 
       history

src/placeos-rest-api/controllers/settings.cr

@@ -1,3 +1,5 @@
+require "html"
+
 require "./application"
 
 module PlaceOS::Api
@@ -161,7 +163,9 @@ module PlaceOS::Api
         query_params["offset"] = (range_end + 1).to_s
         query_params["limit"] = limit.to_s
         path = File.join(base_route, "/#{current_settings.id}/history")
-        response.headers["Link"] = %(<#{path}?#{query_params}>; rel="next")
+
+        link = %(<#{path}?#{query_params}>; rel="next")
+        response.headers["Link"] = HTML.escape(link)
       end
 
       history

src/placeos-rest-api/controllers/users.cr

@@ -1,5 +1,6 @@
 require "oauth2"
 require "CrystalEmail"
+require "html"
 
 require "./application"
 require "./metadata"
@@ -330,7 +331,9 @@ module PlaceOS::Api
       if range_end < total
         params["offset"] = (range_end + 1).to_s
         params["limit"] = limit.to_s
-        response.headers["Link"] = %(<#{base_route}?#{params}>; rel="next")
+
+        link = %(<#{base_route}?#{params}>; rel="next")
+        response.headers["Link"] = HTML.escape(link)
       end
 
       result

src/placeos-rest-api/controllers/webhook.cr

@@ -1,4 +1,5 @@
 require "base64"
+require "html"
 require "./application"
 
 module PlaceOS::Api
@@ -131,7 +132,7 @@ module PlaceOS::Api
               if response_headers
                 # Forward response headers from the remote driver
                 ctx = context
-                response_headers.each { |key, value| ctx.response.headers[key] = value }
+                response_headers.each { |key, value| ctx.response.headers[key] = HTML.escape(value) }
               end
 
               # These calls to render will return