Merge pull request #4589 from thornbill/fix-api-key-xss

2025-03-30 19:56:21 +00:00 · 2023-05-11 17:10:22 -04:00 · 2023-05-11 17:10:22 -04:00 · 9266e51aaf
commit 9266e51aaf
parent 56af039fb9 069ea049eb
1 changed files with 5 additions and 3 deletions
--- a/src/controllers/dashboard/apikeys.js
+++ b/src/controllers/dashboard/apikeys.js
@ -1,3 +1,5 @@
+import escapeHTML from 'escape-html';
+
 import datetime from '../../scripts/datetime';
 import loading from '../../components/loading/loading';
 import dom from '../../scripts/dom';
@ -25,13 +27,13 @@ import { pageIdOn } from '../../scripts/clientUtils';
            let html = '';
            html += '<tr class="detailTableBodyRow detailTableBodyRow-shaded">';
            html += '<td class="detailTableBodyCell">';
-            html += '<button type="button" is="emby-button" data-token="' + item.AccessToken + '" class="raised raised-mini btnRevoke" data-mini="true" title="' + globalize.translate('ButtonRevoke') + '" style="margin:0;">' + globalize.translate('ButtonRevoke') + '</button>';
+            html += '<button type="button" is="emby-button" data-token="' + escapeHTML(item.AccessToken) + '" class="raised raised-mini btnRevoke" data-mini="true" title="' + globalize.translate('ButtonRevoke') + '" style="margin:0;">' + globalize.translate('ButtonRevoke') + '</button>';
            html += '</td>';
            html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
-            html += item.AccessToken;
+            html += escapeHTML(item.AccessToken);
            html += '</td>';
            html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
-            html += item.AppName || '';
+            html += escapeHTML(item.AppName) || '';
            html += '</td>';
            html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
            const date = datetime.parseISO8601Date(item.DateCreated, true);