Escape HTML

2025-03-30 19:56:21 +00:00 · 2022-01-30 00:27:26 +03:00 · 2022-01-30 00:27:26 +03:00 · 59adbc348a
commit 59adbc348a
parent 08cbc5aa8f
60 changed files with 245 additions and 192 deletions
--- a/src/scripts/libraryMenu.js
+++ b/src/scripts/libraryMenu.js
@ -1,3 +1,4 @@
+import escapeHtml from 'escape-html';
 import dom from './dom';
 import layoutManager from '../components/layoutManager';
 import inputManager from './inputManager';
@ -558,7 +559,7 @@ import Headroom from 'headroom.js';
        }

        menuHtml += '<span class="navMenuOptionText">';
-        menuHtml += item.name;
+        menuHtml += escapeHtml(item.name);
        menuHtml += '</span>';
        return menuHtml + '</a>';
    }
@ -576,7 +577,7 @@ import Headroom from 'headroom.js';
                    menuHtml += getToolsLinkHtml(item);
                } else if (item.name) {
                    menuHtml += '<h3 class="sidebarHeader">';
-                    menuHtml += item.name;
+                    menuHtml += escapeHtml(item.name);
                    menuHtml += '</h3>';
                }
            }
@ -700,7 +701,7 @@ import Headroom from 'headroom.js';

                    return `<a is="emby-linkbutton" data-itemid="${itemId}" class="lnkMediaFolder navMenuOption" href="${getItemHref(i, i.CollectionType)}">
                                    <span class="material-icons navMenuOptionIcon ${icon}" aria-hidden="true"></span>
-                                    <span class="sectionName navMenuOptionText">${i.Name}</span>
+                                    <span class="sectionName navMenuOptionText">${escapeHtml(i.Name)}</span>
                                  </a>`;
                }).join('');
                libraryMenuOptions.innerHTML = html;
@ -751,7 +752,7 @@ import Headroom from 'headroom.js';
        if (info && !info.isLocalPlayer) {
            icon.classList.add('cast_connected');
            headerCastButton.classList.add('castButton-active');
-            context.querySelector('.headerSelectedPlayer').innerHTML = info.deviceName || info.name;
+            context.querySelector('.headerSelectedPlayer').innerText = info.deviceName || info.name;
        } else {
            icon.classList.add('cast');
            headerCastButton.classList.remove('castButton-active');
@ -973,7 +974,7 @@ import Headroom from 'headroom.js';
            pageTitleElement.classList.remove('pageTitleWithLogo');
            pageTitleElement.classList.remove('pageTitleWithDefaultLogo');
            pageTitleElement.style.backgroundImage = null;
-            pageTitleElement.innerHTML = html || '';
+            pageTitleElement.innerText = html || '';
        }

        document.title = title || 'Jellyfin';