From 2521b0614225db9a6f6a063c2eccf754d74fb15f Mon Sep 17 00:00:00 2001
From: Felix Oswald <52625423+felixoswald@users.noreply.github.com>
Date: Sat, 19 Mar 2022 09:50:40 +0100
Subject: [PATCH] escaped location with escapeHtml()

---
 src/controllers/itemDetails/index.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/controllers/itemDetails/index.js b/src/controllers/itemDetails/index.js
index 3f68b5bad..4cb329b2e 100644
--- a/src/controllers/itemDetails/index.js
+++ b/src/controllers/itemDetails/index.js
@@ -666,12 +666,12 @@ function reloadFromItem(instance, page, params, item, user) {
     if (item.Type == 'Person' && item.ProductionLocations && item.ProductionLocations.length) {
         let location = item.ProductionLocations[0];
         if (!layoutManager.tv && appHost.supports('externallinks')) {
-            itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}"></a>`);
-            page.querySelector('#itemBirthLocation > a').innerText = `${location}`;
+            location = `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}">${escapeHtml(location)}</a>`;
         } else {
-            itemBirthLocation.innerText = globalize.translate('BirthPlaceValue', `${location}`);
+            location = escapeHtml(location);
         }
         itemBirthLocation.classList.remove('hide');
+        itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', location);
     } else {
         itemBirthLocation.classList.add('hide');
     }