cotugno/jellyfin-web
2
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web.git synced 2024-11-17 10:58:20 -07:00
Code Issues Packages Projects Releases Wiki Activity

Backport pull request #3789 from jellyfin/release-10.8.z

Browse Source 
Fix XSS in card aria labels

Original-merge: 747f7beae7

Merged-by: Bill Thornton <thornbill@users.noreply.github.com>

Backported-by: Joshua Boniface <joshua@boniface.me>
This commit is contained in:
Bill Thornton 2022-08-02 23:59:18 -04:00 committed by Joshua Boniface
parent d6b5b0858f
commit 3fb990fdd2
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/components/cardbuilder/cardBuilder.js
View File

@ -1349,7 +1349,7 @@ import { appRouter } from '../appRouter';
cardImageContainerClose = '</div>';
} else {
const cardImageContainerAriaLabelAttribute = ` aria-label="${item.Name}"`;
const cardImageContainerAriaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
const url = appRouter.getRouteUrl(item);
// Don't use the IMG tag with safari because it puts a white border around it
@ -1433,7 +1433,7 @@ import { appRouter } from '../appRouter';
if (tagName === 'button') {
className += ' itemAction';
actionAttribute = ' data-action="' + action + '"';
ariaLabelAttribute = ` aria-label="${item.Name}"`;
ariaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
} else {
actionAttribute = '';
}