From 55ad352d08e4162d1e99114b044176545f012501 Mon Sep 17 00:00:00 2001
From: Felix Oswald <52625423+felixoswald@users.noreply.github.com>
Date: Fri, 18 Mar 2022 21:17:19 +0100
Subject: [PATCH] escaped location to prevent xss

---
 src/controllers/itemDetails/index.js | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/src/controllers/itemDetails/index.js b/src/controllers/itemDetails/index.js
index a54cce5626..3f68b5badc 100644
--- a/src/controllers/itemDetails/index.js
+++ b/src/controllers/itemDetails/index.js
@@ -666,10 +666,12 @@ function reloadFromItem(instance, page, params, item, user) {
     if (item.Type == 'Person' && item.ProductionLocations && item.ProductionLocations.length) {
         let location = item.ProductionLocations[0];
         if (!layoutManager.tv && appHost.supports('externallinks')) {
-            location = `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}">${location}</a>`;
+            itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', `<a is="emby-linkbutton" class="button-link textlink" target="_blank" href="https://www.openstreetmap.org/search?query=${encodeURIComponent(location)}"></a>`);
+            page.querySelector('#itemBirthLocation > a').innerText = `${location}`;
+        } else {
+            itemBirthLocation.innerText = globalize.translate('BirthPlaceValue', `${location}`);
         }
         itemBirthLocation.classList.remove('hide');
-        itemBirthLocation.innerHTML = globalize.translate('BirthPlaceValue', location);
     } else {
         itemBirthLocation.classList.add('hide');
     }