mirrors/jellyfin-web
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web synced 2025-03-30 19:56:21 +00:00
Code Activity

Fix xss in api key page

Browse source
This commit is contained in:
Bill Thornton 2023-05-11 16:48:06 -04:00
parent 56af039fb9
commit 069ea049eb
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/controllers/dashboard/apikeys.js
View file

@ -1,3 +1,5 @@
import escapeHTML from 'escape-html';
import datetime from '../../scripts/datetime';
import loading from '../../components/loading/loading';
import dom from '../../scripts/dom';
@ -25,13 +27,13 @@ import { pageIdOn } from '../../scripts/clientUtils';
let html = '';
html += '<tr class="detailTableBodyRow detailTableBodyRow-shaded">';
html += '<td class="detailTableBodyCell">';
html += '<button type="button" is="emby-button" data-token="' + item.AccessToken + '" class="raised raised-mini btnRevoke" data-mini="true" title="' + globalize.translate('ButtonRevoke') + '" style="margin:0;">' + globalize.translate('ButtonRevoke') + '</button>';
html += '<button type="button" is="emby-button" data-token="' + escapeHTML(item.AccessToken) + '" class="raised raised-mini btnRevoke" data-mini="true" title="' + globalize.translate('ButtonRevoke') + '" style="margin:0;">' + globalize.translate('ButtonRevoke') + '</button>';
html += '</td>';
html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
html += item.AccessToken;
html += escapeHTML(item.AccessToken);
html += '</td>';
html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
html += item.AppName || '';
html += escapeHTML(item.AppName) || '';
html += '</td>';
html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
const date = datetime.parseISO8601Date(item.DateCreated, true);