diff --git a/src/components/remotecontrol/remotecontrol.js b/src/components/remotecontrol/remotecontrol.js
index 5205093610..53b61949ea 100644
--- a/src/components/remotecontrol/remotecontrol.js
+++ b/src/components/remotecontrol/remotecontrol.js
@@ -86,7 +86,7 @@ function showSubtitleMenu(context, player, button) {
function getNowPlayingNameHtml(nowPlayingItem, includeNonNameInfo) {
return nowPlayingHelper.getNowPlayingNames(nowPlayingItem, includeNonNameInfo).map(function (i) {
- return i.text;
+ return escapeHtml(i.text);
}).join('
');
}
@@ -140,7 +140,6 @@ function updateNowPlayingInfo(context, state, serverId) {
if (item) {
const nowPlayingServerId = (item.ServerId || serverId);
if (item.Type == 'Audio' || item.MediaStreams[0].Type == 'Audio') {
- const songName = escapeHtml(item.Name);
let artistsSeries = '';
let albumName = '';
if (item.Artists != null) {
@@ -148,7 +147,7 @@ function updateNowPlayingInfo(context, state, serverId) {
for (const artist of item.ArtistItems) {
const artistName = escapeHtml(artist.Name);
const artistId = artist.Id;
- artistsSeries += `${artistName}`;
+ artistsSeries += `${escapeHtml(artistName)}`;
if (artist !== item.ArtistItems.slice(-1)[0]) {
artistsSeries += ', ';
}
@@ -168,9 +167,9 @@ function updateNowPlayingInfo(context, state, serverId) {
if (item.Album != null) {
albumName = '` + escapeHtml(item.Album) + '';
}
- context.querySelector('.nowPlayingAlbum').innerText = albumName;
- context.querySelector('.nowPlayingArtist').innerText = artistsSeries;
- context.querySelector('.nowPlayingSongName').innerText = songName;
+ context.querySelector('.nowPlayingAlbum').innerHTML = albumName;
+ context.querySelector('.nowPlayingArtist').innerHTML = artistsSeries;
+ context.querySelector('.nowPlayingSongName').innerText = item.Name;
} else if (item.Type == 'Episode') {
if (item.SeasonName != null) {
const seasonName = item.SeasonName;
@@ -186,7 +185,7 @@ function updateNowPlayingInfo(context, state, serverId) {
}
context.querySelector('.nowPlayingEpisode').innerText = item.Name;
} else {
- context.querySelector('.nowPlayingPageTitle').innerText = displayName;
+ context.querySelector('.nowPlayingPageTitle').innerHTML = displayName;
}
if (displayName.length > 0 && item.Type != 'Audio' && item.Type != 'Episode') {
diff --git a/src/controllers/dashboard/dashboard.js b/src/controllers/dashboard/dashboard.js
index d4110b05ef..799bef35e4 100644
--- a/src/controllers/dashboard/dashboard.js
+++ b/src/controllers/dashboard/dashboard.js
@@ -525,11 +525,11 @@ import confirm from '../../components/confirm/confirm';
const html = [];
if (session.UserId) {
- html.push(session.UserName);
+ html.push(escapeHtml(session.UserName));
}
for (let i = 0, length = session.AdditionalUsers.length; i < length; i++) {
- html.push(session.AdditionalUsers[i].UserName);
+ html.push(escapeHtml(session.AdditionalUsers[i].UserName));
}
return html.join(', ');
@@ -577,7 +577,7 @@ import confirm from '../../components/confirm/confirm';
btnSessionPlayPauseIcon.classList.add(session.PlayState && session.PlayState.IsPaused ? 'play_arrow' : 'pause');
row.querySelector('.sessionNowPlayingTime').innerText = DashboardPage.getSessionNowPlayingTime(session);
- row.querySelector('.sessionUserName').innerText = DashboardPage.getUsersHtml(session);
+ row.querySelector('.sessionUserName').innerHTML = DashboardPage.getUsersHtml(session);
row.querySelector('.sessionAppSecondaryText').innerText = DashboardPage.getAppSecondaryText(session);
const nowPlayingName = DashboardPage.getNowPlayingName(session);
const nowPlayingInfoElem = row.querySelector('.sessionNowPlayingInfo');