docker: restore TITLE env handling in entrypoint

[sstidl]

No description provided.

[qodo-free-for-open-source-projects]

Review Summary by Qodo

Restore TITLE environment variable handling in Docker entrypoint

✨ Enhancement

Walkthroughs

Description

• Restore TITLE environment variable handling in Docker entrypoint
• Replace LibreSpeed title placeholders across HTML files
• Support custom titles in classic, modern, and default HTML pages
• Properly escape special characters in title values

Diagram

flowchart LR
  A["TITLE env var"] -->|"Check if set"| B["Escape special chars"]
  B -->|"Replace in"| C["index-classic.html"]
  B -->|"Replace in"| D["index.html"]
  B -->|"Replace in"| E["index-modern.html"]
  C -->|"Update title & h1"| F["Custom title applied"]
  D -->|"Update title"| F
  E -->|"Update title"| F

Loading

File Changes

1. docker/entrypoint.sh ✨ Enhancement +8/-0

Add TITLE environment variable handling for HTML files

• Added conditional block to handle TITLE environment variable
• Escapes special characters in TITLE value for safe sed substitution
• Replaces LibreSpeed title placeholders in index-classic.html with custom title and h1 tag
• Replaces LibreSpeed title in index.html and index-modern.html with custom title

docker/entrypoint.sh

---

[qodo-free-for-open-source-projects]

Code Review by Qodo

🐞 Bugs (0) 📘 Rule violations (0) 📎 Requirement gaps (0)

1. TITLE newline breaks sed ☑ 🐞 ☼

Description

If TITLE contains a newline/CRLF, $TITLE_ESCAPED will expand to a multi-line sed program and can
error (e.g., “unterminated s command”); because the entrypoint uses set -e, this can abort
container startup in frontend/standalone/dual modes.

Code

docker/entrypoint.sh[R89-93]

+  if [ ! -z "$TITLE" ]; then
+    TITLE_ESCAPED=$(printf '%s\n' "$TITLE" | sed 's/[&/\\]/\\&/g; s/\$/\\$/g')
+    sed -i "s/<title>LibreSpeed<\\/title>/<title>$TITLE_ESCAPED<\\/title>/g; s/<h1>LibreSpeed<\\/h1>/<h1>$TITLE_ESCAPED<\\/h1>/g" /var/www/html/index-classic.html
+    sed -i "s/<title>LibreSpeed<\\/title>/<title>$TITLE_ESCAPED<\\/title>/g" /var/www/html/index.html
+    sed -i "s/<title>LibreSpeed - Free and Open Source Speedtest<\\/title>/<title>$TITLE_ESCAPED - Free and Open Source Speedtest<\\/title>/g" /var/www/html/index-modern.html

Evidence

The entrypoint is configured to exit immediately on any command failure, and the new code inserts
$TITLE_ESCAPED directly into a double-quoted sed script without stripping/encoding newline
characters. Sed treats newlines as command separators, so embedded newlines in the replacement can
make the s/// expression syntactically invalid and terminate the script.

docker/entrypoint.sh[13-14]
docker/entrypoint.sh[88-94]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`TITLE` is interpolated into a `sed -i "s/.../$TITLE_ESCAPED/.../"` program without removing embedded newlines. If `TITLE` includes `\n`/`\r`, the sed program can become multi-line and fail, and `set -e` will abort container startup.
### Issue Context
The new TITLE block mirrors the existing sed-escaping approach for `SERVER_LIST_URL` / `GDPR_EMAIL`, but it does not address newline characters (which are not handled by the current `sed 's/[&/\\]/.../'` escaping).
### Fix Focus Areas
- docker/entrypoint.sh[88-94]
### Implementation notes
- Normalize TITLE to a single line before sed-escaping, e.g. delete `\r` and replace `\n` with a space (or delete), then run the existing sed escape.
- Example approach (bash):
- `TITLE_ONE_LINE=${TITLE//$'\r'/}`
- `TITLE_ONE_LINE=${TITLE_ONE_LINE//$'\n'/ }`
- then build `TITLE_ESCAPED` from `TITLE_ONE_LINE`.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

2. TITLE not HTML-escaped ☑ 🐞 ≡

Description

The entrypoint replaces `/ contents with the raw TITLE` string, so values containing
HTML-significant characters (like `, &`) will be interpreted as markup and can break the served
page structure.

Code

docker/entrypoint.sh[R90-92]

+    TITLE_ESCAPED=$(printf '%s\n' "$TITLE" | sed 's/[&/\\]/\\&/g; s/\$/\\$/g')
+    sed -i "s/<title>LibreSpeed<\\/title>/<title>$TITLE_ESCAPED<\\/title>/g; s/<h1>LibreSpeed<\\/h1>/<h1>$TITLE_ESCAPED<\\/h1>/g" /var/www/html/index-classic.html
+    sed -i "s/<title>LibreSpeed<\\/title>/<title>$TITLE_ESCAPED<\\/title>/g" /var/www/html/index.html

Evidence

The code’s escaping only targets sed metacharacters (&, /, \, $) but then injects the result
directly into HTML tag bodies. The placeholders being replaced are literal LibreSpeed and
LibreSpeed in the shipped HTML, and documentation describes TITLE as a user-provided title string
(not HTML).

docker/entrypoint.sh[88-93]
index-classic.html[489-494]
index.html[2-10]
index-modern.html[12-18]
doc_docker.md[57-61]

Agent prompt

The issue below was found during a code review. Follow the provided context and guidance below and implement a solution

## Issue description
`TITLE` is inserted into `<title>` and `<h1>` bodies without HTML entity escaping. Titles containing `<`, `>`, or `&` will be treated as markup and can corrupt the HTML output.
### Issue Context
Current logic only escapes sed replacement metacharacters, not HTML entities.
### Fix Focus Areas
- docker/entrypoint.sh[88-94]
### Implementation notes
- Add an HTML-escape step for TITLE (at minimum: `&`, `<`, `>`; optionally also `"` and `'`) before performing sed escaping.
- Keep the sed-escaping step after HTML-escaping so the result is safe for both HTML and sed replacement.
- Consider extracting helper functions (e.g., `html_escape()` and `sed_escape()`) and reusing for other HTML substitutions (like GDPR email) for consistency.

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

---

ⓘ The new review experience is currently in Beta. Learn more