mirrors/jellyfin-web
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web synced 2025-03-30 19:56:21 +00:00
Code Activity

Backport pull request #3789 from jellyfin/release-10.8.z

Browse source 
Fix XSS in card aria labels

Original-merge: 747f7beae7

Merged-by: Bill Thornton <thornbill@users.noreply.github.com>

Backported-by: Joshua Boniface <joshua@boniface.me>
This commit is contained in:
Bill Thornton 2022-08-02 23:59:18 -04:00 committed by Joshua Boniface
parent d6b5b0858f
commit 3fb990fdd2
1 changed files with 2 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

4
src/components/cardbuilder/cardBuilder.js
View file

@ -1349,7 +1349,7 @@ import { appRouter } from '../appRouter';
cardImageContainerClose = '</div>'; cardImageContainerClose = '</div>';
} else { } else {
const cardImageContainerAriaLabelAttribute = ` aria-label="${item.Name}"`; const cardImageContainerAriaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
const url = appRouter.getRouteUrl(item); const url = appRouter.getRouteUrl(item);
// Don't use the IMG tag with safari because it puts a white border around it // Don't use the IMG tag with safari because it puts a white border around it
@ -1433,7 +1433,7 @@ import { appRouter } from '../appRouter';
if (tagName === 'button') { if (tagName === 'button') {
className += ' itemAction'; className += ' itemAction';
actionAttribute = ' data-action="' + action + '"'; actionAttribute = ' data-action="' + action + '"';
ariaLabelAttribute = ` aria-label="${item.Name}"`; ariaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
} else { } else {
actionAttribute = ''; actionAttribute = '';
} }