fixing minor security issues

app-code/api/login/check_passkey.php

@@ -7,6 +7,12 @@ include "../utils/security.php";
 secure_session_start();
 require_same_origin_request();
 require_csrf_token();
+
+function print_json_response($data): void
+{
+    print(htmlentities(json_encode($data, JSON_HEX_TAG | JSON_HEX_AMP | JSON_HEX_APOS | JSON_HEX_QUOT), ENT_NOQUOTES, 'UTF-8'));
+}
+
 include "../../config/config.php";
 $conn = new mysqli($DB_SERVERNAME, $DB_USERNAME, $DB_PASSWORD,$DB_DATABASE);
 if ($conn->connect_error) {
@@ -90,7 +96,7 @@ try {
         // Get create arguments
         $createArgs = $WebAuthn->getCreateArgs(\hex2bin($userId), $userName, $userDisplayName, 60*4, $requireResidentKey, $userVerification);
         header('Content-Type: application/json');
-        print(json_encode($createArgs));
+        print_json_response($createArgs);
 
         // Save challenge to session or somewhere else if needed
     } else if ($fn === 'getGetArgs') {
@@ -120,7 +126,7 @@ try {
         $getArgs = $WebAuthn->getGetArgs($ids, 60*4, $typeUsb, $typeNfc, $typeBle, $typeHyb, $typeInt, $userVerification);
 
         header('Content-Type: application/json');
-        print(json_encode($getArgs));
+        print_json_response($getArgs);
 
         // save challange to session. you have to deliver it to processGet later.
         $_SESSION['challenge'] = $WebAuthn->getChallenge();