mirrors/jellyfin-web
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web synced 2025-03-30 19:56:21 +00:00
Code Activity

Merge pull request #4657 from thornbill/subs-xss

Browse source 
Fix xss in custom subtitles element
This commit is contained in:
Bill Thornton 2023-06-01 02:13:28 -04:00 committed by GitHub
commit 5cc91f2ee0
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/plugins/htmlVideoPlayer/plugin.js
View file

@ -1,3 +1,5 @@
import DOMPurify from 'dompurify';
import browser from '../../scripts/browser';
import { Events } from 'jellyfin-apiclient';
import { appHost } from '../../components/apphost';
@ -1317,7 +1319,8 @@ function tryRemoveElement(elem) {
}
if (selectedTrackEvent && selectedTrackEvent.Text) {
subtitleTextElement.innerHTML = normalizeTrackEventText(selectedTrackEvent.Text, true);
subtitleTextElement.innerHTML = DOMPurify.sanitize(
normalizeTrackEventText(selectedTrackEvent.Text, true));
subtitleTextElement.classList.remove('hide');
} else {
subtitleTextElement.classList.add('hide');