From 4bc0eebee0877198cc5072fa8504148bbedc1c73 Mon Sep 17 00:00:00 2001
From: Bill Thornton <thornbill@users.noreply.github.com>
Date: Mon, 9 Jan 2023 11:11:33 -0500
Subject: [PATCH] Fix XSS vulnerability in plugin repo pages

---
 src/controllers/dashboard/plugins/add/index.js       | 12 ++++++------
 src/controllers/dashboard/plugins/available/index.js | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/controllers/dashboard/plugins/add/index.js b/src/controllers/dashboard/plugins/add/index.js
index 1039771a0d..1cd4e0d3c5 100644
--- a/src/controllers/dashboard/plugins/add/index.js
+++ b/src/controllers/dashboard/plugins/add/index.js
@@ -53,24 +53,24 @@ function renderPackage(pkg, installedPlugins, page) {
     populateVersions(pkg, page, installedPlugin);
     populateHistory(pkg, page);
 
-    $('.pluginName', page).html(pkg.name);
+    $('.pluginName', page).text(pkg.name);
     $('#btnInstallDiv', page).removeClass('hide');
     $('#pSelectVersion', page).removeClass('hide');
 
     if (pkg.overview) {
-        $('#overview', page).show().html(pkg.overview);
+        $('#overview', page).show().text(pkg.overview);
     } else {
         $('#overview', page).hide();
     }
 
-    $('#description', page).html(pkg.description);
-    $('#developer', page).html(pkg.owner);
+    $('#description', page).text(pkg.description);
+    $('#developer', page).text(pkg.owner);
 
     if (installedPlugin) {
         const currentVersionText = globalize.translate('MessageYouHaveVersionInstalled', '<strong>' + installedPlugin.Version + '</strong>');
-        $('#pCurrentVersion', page).show().html(currentVersionText);
+        $('#pCurrentVersion', page).show().text(currentVersionText);
     } else {
-        $('#pCurrentVersion', page).hide().html('');
+        $('#pCurrentVersion', page).hide().text('');
     }
 
     loading.hide();
diff --git a/src/controllers/dashboard/plugins/available/index.js b/src/controllers/dashboard/plugins/available/index.js
index e24d4a144f..656d5bf321 100644
--- a/src/controllers/dashboard/plugins/available/index.js
+++ b/src/controllers/dashboard/plugins/available/index.js
@@ -1,3 +1,5 @@
+import escapeHTML from 'escape-html';
+
 import loading from '../../../../components/loading/loading';
 import libraryMenu from '../../../../scripts/libraryMenu';
 import globalize from '../../../../scripts/globalize';
@@ -73,7 +75,7 @@ function populateList(options) {
                 html += '</div>';
             }
             html += '<div class="verticalSection">';
-            html += '<h2 class="sectionTitle sectionTitle-cards">' + category + '</h2>';
+            html += '<h2 class="sectionTitle sectionTitle-cards">' + escapeHTML(category) + '</h2>';
             html += '<div class="itemsContainer vertical-wrap">';
             currentCategory = category;
         }
@@ -107,7 +109,7 @@ function getPluginHtml(plugin, options, installedPlugins) {
     html += `<a class="cardImageContainer" is="emby-linkbutton" style="margin:0;padding:0" href="${href}" ${target}>`;
 
     if (plugin.imageUrl) {
-        html += `<img src="${plugin.imageUrl}" style="width:100%" />`;
+        html += `<img src="${escapeHTML(plugin.imageUrl)}" style="width:100%" />`;
     } else {
         html += `<div class="cardImage flex align-items-center justify-content-center ${cardBuilder.getDefaultBackgroundClass()}">`;
         html += '<span class="cardImageIcon material-icons extension" aria-hidden="true"></span>';
@@ -119,11 +121,9 @@ function getPluginHtml(plugin, options, installedPlugins) {
     html += '</div>';
     html += '<div class="cardFooter">';
     html += "<div class='cardText'>";
-    html += plugin.name;
+    html += escapeHTML(plugin.name);
     html += '</div>';
-    const installedPlugin = installedPlugins.filter(function (ip) {
-        return ip.Id == plugin.guid;
-    })[0];
+    const installedPlugin = installedPlugins.find(installed => installed.Id === plugin.guid);
     html += "<div class='cardText cardText-secondary'>";
     html += installedPlugin ? globalize.translate('LabelVersionInstalled', installedPlugin.Version) : '&nbsp;';
     html += '</div>';