From aa520470169ace020384756800629ae9b7792e0c Mon Sep 17 00:00:00 2001
From: Jared Vititoe <jjvititoe1@gmail.com>
Date: Mon, 11 May 2026 09:05:53 -0400
Subject: [PATCH] fix: cache_ttl config validation; ticket_web_url via tojson
 in base.html

- app.py: wrap int(cache_ttl) in try/except so a misconfigured non-integer value falls back to 3600 instead of raising ValueError
- base.html: use Jinja2 tojson filter for ticket_web_url to ensure proper JS string escaping regardless of URL contents

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 app.py              | 6 +++++-
 templates/base.html | 2 +-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/app.py b/app.py
index 4480717..f30c0df 100644
--- a/app.py
+++ b/app.py
@@ -543,7 +543,11 @@ def api_avatar():
     os.makedirs(cache_dir, exist_ok=True)
     cache_file = os.path.join(cache_dir, f'user_{safe_name}.jpg')
     sentinel    = os.path.join(cache_dir, f'user_{safe_name}.none')
-    cache_ttl   = int(ldap_cfg.get('cache_ttl', 3600))
+    try:
+        cache_ttl = int(ldap_cfg.get('cache_ttl', 3600))
+    except (ValueError, TypeError):
+        logger.warning('Invalid cache_ttl in ldap config; using default 3600')
+        cache_ttl = 3600
 
     now = time.time()
 
diff --git a/templates/base.html b/templates/base.html
index 53b527b..b142b38 100644
--- a/templates/base.html
+++ b/templates/base.html
@@ -313,7 +313,7 @@
 
   <script>
     const GANDALF_CONFIG = {
-      ticket_web_url: "{{ config.get('ticket_api', {}).get('web_url', 'http://t.lotusguild.org/ticket/') }}"
+      ticket_web_url: {{ config.get('ticket_api', {}).get('web_url', 'http://t.lotusguild.org/ticket/') | tojson }}
     };
   </script>
   <script src="{{ url_for('static', filename='app.js') }}"></script>