mirrors/jellyfin-web
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web synced 2025-03-30 19:56:21 +00:00
Code Activity

Fix HTML escaping

Browse source 
Regression: 59adbc348a
This commit is contained in:
Dmitry Lyzo 2022-03-19 10:37:13 +03:00
parent 999011509e
commit 4929bfd350
2 changed files with 9 additions and 10 deletions
Download patch file Download diff file Expand all files Collapse all files

13
src/components/remotecontrol/remotecontrol.js
View file

@ -86,7 +86,7 @@ function showSubtitleMenu(context, player, button) {
function getNowPlayingNameHtml(nowPlayingItem, includeNonNameInfo) {
return nowPlayingHelper.getNowPlayingNames(nowPlayingItem, includeNonNameInfo).map(function (i) {
return i.text;
return escapeHtml(i.text);
}).join('<br/>');
}
@ -140,7 +140,6 @@ function updateNowPlayingInfo(context, state, serverId) {
if (item) {
const nowPlayingServerId = (item.ServerId || serverId);
if (item.Type == 'Audio' || item.MediaStreams[0].Type == 'Audio') {
const songName = escapeHtml(item.Name);
let artistsSeries = '';
let albumName = '';
if (item.Artists != null) {
@ -148,7 +147,7 @@ function updateNowPlayingInfo(context, state, serverId) {
for (const artist of item.ArtistItems) {
const artistName = escapeHtml(artist.Name);
const artistId = artist.Id;
artistsSeries += `<a class="button-link emby-button" is="emby-linkbutton" href="#!/details?id=${artistId}&serverId=${nowPlayingServerId}">${artistName}</a>`;
artistsSeries += `<a class="button-link emby-button" is="emby-linkbutton" href="#!/details?id=${artistId}&serverId=${nowPlayingServerId}">${escapeHtml(artistName)}</a>`;
if (artist !== item.ArtistItems.slice(-1)[0]) {
artistsSeries += ', ';
}
@ -168,9 +167,9 @@ function updateNowPlayingInfo(context, state, serverId) {
if (item.Album != null) {
albumName = '<a class="button-link emby-button" is="emby-linkbutton" href="#!/details?id=' + item.AlbumId + `&serverId=${nowPlayingServerId}">` + escapeHtml(item.Album) + '</a>';
}
context.querySelector('.nowPlayingAlbum').innerText = albumName;
context.querySelector('.nowPlayingArtist').innerText = artistsSeries;
context.querySelector('.nowPlayingSongName').innerText = songName;
context.querySelector('.nowPlayingAlbum').innerHTML = albumName;
context.querySelector('.nowPlayingArtist').innerHTML = artistsSeries;
context.querySelector('.nowPlayingSongName').innerText = item.Name;
} else if (item.Type == 'Episode') {
if (item.SeasonName != null) {
const seasonName = item.SeasonName;
@ -186,7 +185,7 @@ function updateNowPlayingInfo(context, state, serverId) {
}
context.querySelector('.nowPlayingEpisode').innerText = item.Name;
} else {
context.querySelector('.nowPlayingPageTitle').innerText = displayName;
context.querySelector('.nowPlayingPageTitle').innerHTML = displayName;
}
if (displayName.length > 0 && item.Type != 'Audio' && item.Type != 'Episode') {

6
src/controllers/dashboard/dashboard.js
View file

@ -525,11 +525,11 @@ import confirm from '../../components/confirm/confirm';
const html = [];
if (session.UserId) {
html.push(session.UserName);
html.push(escapeHtml(session.UserName));
}
for (let i = 0, length = session.AdditionalUsers.length; i < length; i++) {
html.push(session.AdditionalUsers[i].UserName);
html.push(escapeHtml(session.AdditionalUsers[i].UserName));
}
return html.join(', ');
@ -577,7 +577,7 @@ import confirm from '../../components/confirm/confirm';
btnSessionPlayPauseIcon.classList.add(session.PlayState && session.PlayState.IsPaused ? 'play_arrow' : 'pause');
row.querySelector('.sessionNowPlayingTime').innerText = DashboardPage.getSessionNowPlayingTime(session);
row.querySelector('.sessionUserName').innerText = DashboardPage.getUsersHtml(session);
row.querySelector('.sessionUserName').innerHTML = DashboardPage.getUsersHtml(session);
row.querySelector('.sessionAppSecondaryText').innerText = DashboardPage.getAppSecondaryText(session);
const nowPlayingName = DashboardPage.getNowPlayingName(session);
const nowPlayingInfoElem = row.querySelector('.sessionNowPlayingInfo');