From 2ffb833dafacd2e0d212d2010b5fd267f800a148 Mon Sep 17 00:00:00 2001
From: Bill Thornton <thornbill@users.noreply.github.com>
Date: Thu, 1 Jun 2023 01:33:59 -0400
Subject: [PATCH 1/3] Fix xss in custom subtitles element

---
 src/plugins/htmlVideoPlayer/plugin.js | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/src/plugins/htmlVideoPlayer/plugin.js b/src/plugins/htmlVideoPlayer/plugin.js
index 7a2e5ff98d..df582ca1c7 100644
--- a/src/plugins/htmlVideoPlayer/plugin.js
+++ b/src/plugins/htmlVideoPlayer/plugin.js
@@ -1,3 +1,5 @@
+import DOMPurify from 'dompurify';
+
 import browser from '../../scripts/browser';
 import { Events } from 'jellyfin-apiclient';
 import { appHost } from '../../components/apphost';
@@ -1317,7 +1319,8 @@ function tryRemoveElement(elem) {
                 }
 
                 if (selectedTrackEvent && selectedTrackEvent.Text) {
-                    subtitleTextElement.innerHTML = normalizeTrackEventText(selectedTrackEvent.Text, true);
+                    subtitleTextElement.innerHTML = DOMPurify.sanitize(
+                        normalizeTrackEventText(selectedTrackEvent.Text, true));
                     subtitleTextElement.classList.remove('hide');
                 } else {
                     subtitleTextElement.classList.add('hide');

From b044bc25de4d5f28ebb125d0dd42e612ee81cf16 Mon Sep 17 00:00:00 2001
From: Bill Thornton <thornbill@users.noreply.github.com>
Date: Fri, 18 Nov 2022 14:06:23 -0500
Subject: [PATCH 2/3] Merge pull request #4171 from
 nielsvanvelzen/directory-browser-go-up

Fix going to parent folder in directory browser
---
 src/components/directorybrowser/directorybrowser.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/components/directorybrowser/directorybrowser.js b/src/components/directorybrowser/directorybrowser.js
index 625523483d..eb74dd3364 100644
--- a/src/components/directorybrowser/directorybrowser.js
+++ b/src/components/directorybrowser/directorybrowser.js
@@ -43,7 +43,7 @@ function refreshDirectoryBrowser(page, path, fileOptions, updatePathOnError) {
     Promise.all(promises).then(
         responses => {
             const folders = responses[0];
-            const parentPath = responses[1] || '';
+            const parentPath = (responses[1] ? JSON.parse(responses[1]) : '') || '';
             let html = '';
 
             page.querySelector('.results').scrollTop = 0;

From 7ada8796a7ffcf39ac281701654876ec2e96b340 Mon Sep 17 00:00:00 2001
From: Dmitry Lyzo <ashephard0@gmail.com>
Date: Tue, 13 Jun 2023 20:11:23 +0300
Subject: [PATCH 3/3] Disable ALAC on MacOS in non-Safari browsers

---
 src/scripts/browserDeviceProfile.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/scripts/browserDeviceProfile.js b/src/scripts/browserDeviceProfile.js
index 1fdaea30dd..2d6e0dad4b 100644
--- a/src/scripts/browserDeviceProfile.js
+++ b/src/scripts/browserDeviceProfile.js
@@ -130,7 +130,7 @@ import browser from './browser';
 
             typeString = 'audio/ogg; codecs="opus"';
         } else if (format === 'alac') {
-            if (browser.iOS || browser.osx) {
+            if (browser.iOS || browser.osx && browser.safari) {
                 return true;
             }
         } else if (format === 'mp2') {