From 3fb990fdd2af604d5d07db7922dcb2bf4c1c60dc Mon Sep 17 00:00:00 2001
From: Bill Thornton <billt2006@gmail.com>
Date: Tue, 2 Aug 2022 23:59:18 -0400
Subject: [PATCH] Backport pull request #3789 from jellyfin/release-10.8.z

Fix XSS in card aria labels

Original-merge: 747f7beae714a09e6b56e9557ad0a86d738b5218

Merged-by: Bill Thornton <thornbill@users.noreply.github.com>

Backported-by: Joshua Boniface <joshua@boniface.me>
---
 src/components/cardbuilder/cardBuilder.js | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/src/components/cardbuilder/cardBuilder.js b/src/components/cardbuilder/cardBuilder.js
index 46099cdad1..b5f85c9a57 100644
--- a/src/components/cardbuilder/cardBuilder.js
+++ b/src/components/cardbuilder/cardBuilder.js
@@ -1349,7 +1349,7 @@ import { appRouter } from '../appRouter';
 
                 cardImageContainerClose = '</div>';
             } else {
-                const cardImageContainerAriaLabelAttribute = ` aria-label="${item.Name}"`;
+                const cardImageContainerAriaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
 
                 const url = appRouter.getRouteUrl(item);
                 // Don't use the IMG tag with safari because it puts a white border around it
@@ -1433,7 +1433,7 @@ import { appRouter } from '../appRouter';
             if (tagName === 'button') {
                 className += ' itemAction';
                 actionAttribute = ' data-action="' + action + '"';
-                ariaLabelAttribute = ` aria-label="${item.Name}"`;
+                ariaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
             } else {
                 actionAttribute = '';
             }