From 4ee51ff12e9843bfb1de92c19653f0edd345017d Mon Sep 17 00:00:00 2001
From: Bill Thornton <thornbill@users.noreply.github.com>
Date: Sun, 22 Jan 2023 14:08:04 -0500
Subject: [PATCH] Backport pull request #4269 from jellyfin/release-10.8.z

Fix XSS vulnerability in plugin repo pages

Original-merge: 21a3bae204772e019560d23288c352ceb6dfcf2e

Merged-by: Joshua M. Boniface <joshua@boniface.me>

Backported-by: Joshua M. Boniface <joshua@boniface.me>
---
 src/controllers/dashboard/plugins/add/index.js       | 12 ++++++------
 src/controllers/dashboard/plugins/available/index.js | 12 ++++++------
 2 files changed, 12 insertions(+), 12 deletions(-)

diff --git a/src/controllers/dashboard/plugins/add/index.js b/src/controllers/dashboard/plugins/add/index.js
index 214aff850f..5e0a2d3f14 100644
--- a/src/controllers/dashboard/plugins/add/index.js
+++ b/src/controllers/dashboard/plugins/add/index.js
@@ -53,24 +53,24 @@ function renderPackage(pkg, installedPlugins, page) {
     populateVersions(pkg, page, installedPlugin);
     populateHistory(pkg, page);
 
-    $('.pluginName', page).html(pkg.name);
+    $('.pluginName', page).text(pkg.name);
     $('#btnInstallDiv', page).removeClass('hide');
     $('#pSelectVersion', page).removeClass('hide');
 
     if (pkg.overview) {
-        $('#overview', page).show().html(pkg.overview);
+        $('#overview', page).show().text(pkg.overview);
     } else {
         $('#overview', page).hide();
     }
 
-    $('#description', page).html(pkg.description);
-    $('#developer', page).html(pkg.owner);
+    $('#description', page).text(pkg.description);
+    $('#developer', page).text(pkg.owner);
 
     if (installedPlugin) {
         const currentVersionText = globalize.translate('MessageYouHaveVersionInstalled', '<strong>' + installedPlugin.Version + '</strong>');
-        $('#pCurrentVersion', page).show().html(currentVersionText);
+        $('#pCurrentVersion', page).show().text(currentVersionText);
     } else {
-        $('#pCurrentVersion', page).hide().html('');
+        $('#pCurrentVersion', page).hide().text('');
     }
 
     loading.hide();
diff --git a/src/controllers/dashboard/plugins/available/index.js b/src/controllers/dashboard/plugins/available/index.js
index 095bbb8659..4dc172450f 100644
--- a/src/controllers/dashboard/plugins/available/index.js
+++ b/src/controllers/dashboard/plugins/available/index.js
@@ -1,3 +1,5 @@
+import escapeHTML from 'escape-html';
+
 import loading from '../../../../components/loading/loading';
 import libraryMenu from '../../../../scripts/libraryMenu';
 import globalize from '../../../../scripts/globalize';
@@ -73,7 +75,7 @@ function populateList(options) {
                 html += '</div>';
             }
             html += '<div class="verticalSection">';
-            html += '<h2 class="sectionTitle sectionTitle-cards">' + category + '</h2>';
+            html += '<h2 class="sectionTitle sectionTitle-cards">' + escapeHTML(category) + '</h2>';
             html += '<div class="itemsContainer vertical-wrap">';
             currentCategory = category;
         }
@@ -134,7 +136,7 @@ function getPluginHtml(plugin, options, installedPlugins) {
     html += `<a class="cardImageContainer" is="emby-linkbutton" style="margin:0;padding:0" href="${href}" ${target}>`;
 
     if (plugin.imageUrl) {
-        html += `<img src="${plugin.imageUrl}" style="width:100%" />`;
+        html += `<img src="${escapeHTML(plugin.imageUrl)}" style="width:100%" />`;
     } else {
         html += `<div class="cardImage flex align-items-center justify-content-center ${cardBuilder.getDefaultBackgroundClass()}">`;
         html += '<span class="cardImageIcon material-icons extension" aria-hidden="true"></span>';
@@ -146,11 +148,9 @@ function getPluginHtml(plugin, options, installedPlugins) {
     html += '</div>';
     html += '<div class="cardFooter">';
     html += "<div class='cardText'>";
-    html += plugin.name;
+    html += escapeHTML(plugin.name);
     html += '</div>';
-    const installedPlugin = installedPlugins.filter(function (ip) {
-        return ip.Id == plugin.guid;
-    })[0];
+    const installedPlugin = installedPlugins.find(installed => installed.Id === plugin.guid);
     html += "<div class='cardText cardText-secondary'>";
     html += installedPlugin ? globalize.translate('LabelVersionInstalled', installedPlugin.Version) : '&nbsp;';
     html += '</div>';