Merge pull request #4269 from thornbill/fix-plugin-xss

Fix XSS vulnerability in plugin repo pages
This commit is contained in:
Joshua M. Boniface 2023-01-09 12:15:18 -05:00 committed by GitHub
commit 21a3bae204
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 12 additions and 12 deletions

View File

@ -53,24 +53,24 @@ function renderPackage(pkg, installedPlugins, page) {
populateVersions(pkg, page, installedPlugin); populateVersions(pkg, page, installedPlugin);
populateHistory(pkg, page); populateHistory(pkg, page);
$('.pluginName', page).html(pkg.name); $('.pluginName', page).text(pkg.name);
$('#btnInstallDiv', page).removeClass('hide'); $('#btnInstallDiv', page).removeClass('hide');
$('#pSelectVersion', page).removeClass('hide'); $('#pSelectVersion', page).removeClass('hide');
if (pkg.overview) { if (pkg.overview) {
$('#overview', page).show().html(pkg.overview); $('#overview', page).show().text(pkg.overview);
} else { } else {
$('#overview', page).hide(); $('#overview', page).hide();
} }
$('#description', page).html(pkg.description); $('#description', page).text(pkg.description);
$('#developer', page).html(pkg.owner); $('#developer', page).text(pkg.owner);
if (installedPlugin) { if (installedPlugin) {
const currentVersionText = globalize.translate('MessageYouHaveVersionInstalled', '<strong>' + installedPlugin.Version + '</strong>'); const currentVersionText = globalize.translate('MessageYouHaveVersionInstalled', '<strong>' + installedPlugin.Version + '</strong>');
$('#pCurrentVersion', page).show().html(currentVersionText); $('#pCurrentVersion', page).show().text(currentVersionText);
} else { } else {
$('#pCurrentVersion', page).hide().html(''); $('#pCurrentVersion', page).hide().text('');
} }
loading.hide(); loading.hide();

View File

@ -1,3 +1,5 @@
import escapeHTML from 'escape-html';
import loading from '../../../../components/loading/loading'; import loading from '../../../../components/loading/loading';
import libraryMenu from '../../../../scripts/libraryMenu'; import libraryMenu from '../../../../scripts/libraryMenu';
import globalize from '../../../../scripts/globalize'; import globalize from '../../../../scripts/globalize';
@ -73,7 +75,7 @@ function populateList(options) {
html += '</div>'; html += '</div>';
} }
html += '<div class="verticalSection">'; html += '<div class="verticalSection">';
html += '<h2 class="sectionTitle sectionTitle-cards">' + category + '</h2>'; html += '<h2 class="sectionTitle sectionTitle-cards">' + escapeHTML(category) + '</h2>';
html += '<div class="itemsContainer vertical-wrap">'; html += '<div class="itemsContainer vertical-wrap">';
currentCategory = category; currentCategory = category;
} }
@ -107,7 +109,7 @@ function getPluginHtml(plugin, options, installedPlugins) {
html += `<a class="cardImageContainer" is="emby-linkbutton" style="margin:0;padding:0" href="${href}" ${target}>`; html += `<a class="cardImageContainer" is="emby-linkbutton" style="margin:0;padding:0" href="${href}" ${target}>`;
if (plugin.imageUrl) { if (plugin.imageUrl) {
html += `<img src="${plugin.imageUrl}" style="width:100%" />`; html += `<img src="${escapeHTML(plugin.imageUrl)}" style="width:100%" />`;
} else { } else {
html += `<div class="cardImage flex align-items-center justify-content-center ${cardBuilder.getDefaultBackgroundClass()}">`; html += `<div class="cardImage flex align-items-center justify-content-center ${cardBuilder.getDefaultBackgroundClass()}">`;
html += '<span class="cardImageIcon material-icons extension" aria-hidden="true"></span>'; html += '<span class="cardImageIcon material-icons extension" aria-hidden="true"></span>';
@ -119,11 +121,9 @@ function getPluginHtml(plugin, options, installedPlugins) {
html += '</div>'; html += '</div>';
html += '<div class="cardFooter">'; html += '<div class="cardFooter">';
html += "<div class='cardText'>"; html += "<div class='cardText'>";
html += plugin.name; html += escapeHTML(plugin.name);
html += '</div>'; html += '</div>';
const installedPlugin = installedPlugins.filter(function (ip) { const installedPlugin = installedPlugins.find(installed => installed.Id === plugin.guid);
return ip.Id == plugin.guid;
})[0];
html += "<div class='cardText cardText-secondary'>"; html += "<div class='cardText cardText-secondary'>";
html += installedPlugin ? globalize.translate('LabelVersionInstalled', installedPlugin.Version) : '&nbsp;'; html += installedPlugin ? globalize.translate('LabelVersionInstalled', installedPlugin.Version) : '&nbsp;';
html += '</div>'; html += '</div>';