From e6465ec6ec73832790c0c0cc17bc6ee9d372129b Mon Sep 17 00:00:00 2001
From: Felix Oswald <52625423+felixoswald@users.noreply.github.com>
Date: Fri, 18 Mar 2022 15:15:31 +0100
Subject: [PATCH 1/4] Fix birth location link

---
 src/controllers/itemDetails/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/controllers/itemDetails/index.js b/src/controllers/itemDetails/index.js
index 762d4ce83e..a54cce5626 100644
--- a/src/controllers/itemDetails/index.js
+++ b/src/controllers/itemDetails/index.js
@@ -669,7 +669,7 @@ function reloadFromItem(instance, page, params, item, user) {
             location = `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}">${location}</a>`;
         }
         itemBirthLocation.classList.remove('hide');
-        itemBirthLocation.innerText = globalize.translate('BirthPlaceValue', location);
+        itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', location);
     } else {
         itemBirthLocation.classList.add('hide');
     }

From 55ad352d08e4162d1e99114b044176545f012501 Mon Sep 17 00:00:00 2001
From: Felix Oswald <52625423+felixoswald@users.noreply.github.com>
Date: Fri, 18 Mar 2022 21:17:19 +0100
Subject: [PATCH 2/4] escaped location to prevent xss

---
 src/controllers/itemDetails/index.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/controllers/itemDetails/index.js b/src/controllers/itemDetails/index.js
index a54cce5626..3f68b5badc 100644
--- a/src/controllers/itemDetails/index.js
+++ b/src/controllers/itemDetails/index.js
@@ -666,10 +666,12 @@ function reloadFromItem(instance, page, params, item, user) {
     if (item.Type == 'Person' && item.ProductionLocations && item.ProductionLocations.length) {
         let location = item.ProductionLocations[0];
         if (!layoutManager.tv && appHost.supports('externallinks')) {
-            location = `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}">${location}</a>`;
+            itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}"></a>`);
+            page.querySelector('#itemBirthLocation > a').innerText = `${location}`;
+        } else {
+            itemBirthLocation.innerText = globalize.translate('BirthPlaceValue', `${location}`);
         }
         itemBirthLocation.classList.remove('hide');
-        itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', location);
     } else {
         itemBirthLocation.classList.add('hide');
     }

From 2521b0614225db9a6f6a063c2eccf754d74fb15f Mon Sep 17 00:00:00 2001
From: Felix Oswald <52625423+felixoswald@users.noreply.github.com>
Date: Sat, 19 Mar 2022 09:50:40 +0100
Subject: [PATCH 3/4] escaped location with escapeHtml()

---
 src/controllers/itemDetails/index.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/controllers/itemDetails/index.js b/src/controllers/itemDetails/index.js
index 3f68b5badc..4cb329b2e4 100644
--- a/src/controllers/itemDetails/index.js
+++ b/src/controllers/itemDetails/index.js
@@ -666,12 +666,12 @@ function reloadFromItem(instance, page, params, item, user) {
     if (item.Type == 'Person' && item.ProductionLocations && item.ProductionLocations.length) {
         let location = item.ProductionLocations[0];
         if (!layoutManager.tv && appHost.supports('externallinks')) {
-            itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}"></a>`);
-            page.querySelector('#itemBirthLocation > a').innerText = `${location}`;
+            location = `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}">${escapeHtml(location)}</a>`;
         } else {
-            itemBirthLocation.innerText = globalize.translate('BirthPlaceValue', `${location}`);
+            location = escapeHtml(location);
         }
         itemBirthLocation.classList.remove('hide');
+        itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', location);
     } else {
         itemBirthLocation.classList.add('hide');
     }

From 659657b62d5f81a3d9acd6af48fa4f48ad4132fd Mon Sep 17 00:00:00 2001
From: Felix Oswald <52625423+felixoswald@users.noreply.github.com>
Date: Sat, 19 Mar 2022 11:26:03 +0100
Subject: [PATCH 4/4] escaped ExternalUrls with escapeHtml()

---
 src/controllers/itemDetails/index.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/controllers/itemDetails/index.js b/src/controllers/itemDetails/index.js
index 4cb329b2e4..9e90345841 100644
--- a/src/controllers/itemDetails/index.js
+++ b/src/controllers/itemDetails/index.js
@@ -747,7 +747,7 @@ function renderLinks(page, item) {
 
     if (item.ExternalUrls) {
         for (const url of item.ExternalUrls) {
-            links.push(`<a is="emby-linkbutton" class="button-link" href="${url.Url}" target="_blank">${url.Name}</a>`);
+            links.push(`<a is="emby-linkbutton" class="button-link" href="${url.Url}" target="_blank">${escapeHtml(url.Name)}</a>`);
         }
     }