Prevent code injection from downloaded keybox file (#23)

* add sanitization of arbitrary keybox content

module/webui/scripts/menu_option.js

@@ -175,10 +175,11 @@ export async function setupSystemAppMenu() {
 
 // Function to backup previous keybox and set new keybox
 async function setKeybox(content) {
+    const sanitizedContent = content.replace(/'/g, "'\\''");
     try {
         await execCommand(`
             mv -f /data/adb/tricky_store/keybox.xml /data/adb/tricky_store/keybox.xml.bak 2>/dev/null
-            echo '${content}' > /data/adb/tricky_store/keybox.xml
+            echo '${sanitizedContent}' > /data/adb/tricky_store/keybox.xml
             chmod 644 /data/adb/tricky_store/keybox.xml
             `);
         return true;