cotugno/jellyfin-web
2
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web.git synced 2024-11-15 18:08:17 -07:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #4541 from thornbill/backport-ghsa-89hp-h43h-r5pq

Browse Source 
Escape device id in raw HTML.
This commit is contained in:
Bill Thornton 2023-04-26 02:07:33 -04:00 committed by GitHub
commit 28b3ba5714
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/controllers/dashboard/devices/devices.js
View File

@ -90,11 +90,12 @@ function load(page, devices) {
let html = '';
html += devices.map(function (device) {
let deviceHtml = '';
deviceHtml += "<div data-id='" + device.Id + "' class='card backdropCard'>";
deviceHtml += "<div data-id='" + escapeHtml(device.Id) + "' class='card backdropCard'>";
deviceHtml += '<div class="cardBox visualCardBox">';
deviceHtml += '<div class="cardScalable">';
deviceHtml += '<div class="cardPadder cardPadder-backdrop"></div>';
deviceHtml += `<a is="emby-linkbutton" href="#/device.html?id=${device.Id}" class="cardContent cardImageContainer ${cardBuilder.getDefaultBackgroundClass()}">`;
deviceHtml += `<a is="emby-linkbutton" href="#!/device.html?id=${escapeHtml(device.Id)}" class="cardContent cardImageContainer ${cardBuilder.getDefaultBackgroundClass()}">`;
// audit note: getDeviceIcon returns static text
const iconUrl = imageHelper.getDeviceIcon(device);
if (iconUrl) {
@ -113,7 +114,7 @@ function load(page, devices) {
deviceHtml += '<div style="text-align:left; float:left;padding-top:5px;">';
else
deviceHtml += '<div style="text-align:right; float:right;padding-top:5px;">';
deviceHtml += '<button type="button" is="paper-icon-button-light" data-id="' + device.Id + '" title="' + globalize.translate('Menu') + '" class="btnDeviceMenu"><span class="material-icons more_vert" aria-hidden="true"></span></button>';
deviceHtml += '<button type="button" is="paper-icon-button-light" data-id="' + escapeHtml(device.Id) + '" title="' + globalize.translate('Menu') + '" class="btnDeviceMenu"><span class="material-icons more_vert" aria-hidden="true"></span></button>';
deviceHtml += '</div>';
}

1
src/scripts/imagehelper.js
View File

@ -1,5 +1,6 @@
const BASE_DEVICE_IMAGE_URL = 'assets/img/devices/';
// audit note: this module is expected to return safe text for use in HTML
function getWebDeviceIcon(browser) {
switch (browser) {
case 'Opera':