milas/jellyfish-web
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Backport pull request #4657 from jellyfin/release-10.8.z

Browse source 
Fix xss in custom subtitles element

Original-merge: 5cc91f2ee03d06f1fc3eda3e924b3e25c6f95170

Merged-by: Bill Thornton <thornbill@users.noreply.github.com>

Backported-by: Bill Thornton <thornbill@users.noreply.github.com>
This commit is contained in:
Bill Thornton 2023-07-02 02:06:26 -04:00
parent b372953671
commit ba0acc6b04
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/plugins/htmlVideoPlayer/plugin.js
View file

@ -1,3 +1,5 @@
import DOMPurify from 'dompurify';
import browser from '../../scripts/browser'; import browser from '../../scripts/browser';
import { appHost } from '../../components/apphost'; import { appHost } from '../../components/apphost';
import loading from '../../components/loading/loading'; import loading from '../../components/loading/loading';
@ -1535,7 +1537,8 @@ export class HtmlVideoPlayer {
} }
if (selectedTrackEvent && selectedTrackEvent.Text) { if (selectedTrackEvent && selectedTrackEvent.Text) {
subtitleTextElement.innerHTML = normalizeTrackEventText(selectedTrackEvent.Text, true); subtitleTextElement.innerHTML = DOMPurify.sanitize(
normalizeTrackEventText(selectedTrackEvent.Text, true));
subtitleTextElement.classList.remove('hide'); subtitleTextElement.classList.remove('hide');
} else { } else {
subtitleTextElement.classList.add('hide'); subtitleTextElement.classList.add('hide');