Backport pull request #5563 from jellyfin-web/release-10.9.z

Fix chapter name XSS injection in progress bar Original-merge: 7eb54e029f Merged-by: thornbill <thornbill@users.noreply.github.com> Backported-by: Joshua M. Boniface <joshua@boniface.me>
2025-03-30 19:56:21 +00:00 · 2024-05-25 11:50:39 -04:00 · 2024-05-25 11:50:39 -04:00 · 9cf57574fb
commit 9cf57574fb
parent 94f34ddd13
2 changed files with 2 additions and 18 deletions
--- a/src/controllers/playback/video/index.js
+++ b/src/controllers/playback/video/index.js
@ -1843,7 +1843,6 @@ export default function (view) {
        if (item?.Chapters?.length) {
            item.Chapters.forEach(currentChapter => {
                markers.push({
-                    className: 'chapterMarker',
                    name: currentChapter.Name,
                    progress: currentChapter.StartPositionTicks / item.RunTimeTicks
                });
--- a/src/elements/emby-slider/emby-slider.js
+++ b/src/elements/emby-slider/emby-slider.js
@ -203,28 +203,13 @@ function setMarker(range, valueMarker, marker, valueProgress) {
 }

 function updateMarkers(range, currentValue) {
-    function getMarkerHtml(markerInfo) {
-        let markerTypeSpecificClasses = '';
-
-        if (markerInfo.className === 'chapterMarker') {
-            markerTypeSpecificClasses = markerInfo.className;
-
-            if (typeof markerInfo.name === 'string' && markerInfo.name.length) {
-                // limit the class length in case the name contains half a novel
-                markerTypeSpecificClasses = `${markerInfo.className} marker-${markerInfo.name.substring(0, 100).toLowerCase().replace(' ', '-')}`;
-            }
-        }
-
-        return `<span class="material-icons sliderMarker ${markerTypeSpecificClasses}" aria-hidden="true"></span>`;
-    }
-
    if (range.getMarkerInfo) {
        range.markerInfo = range.getMarkerInfo();

        range.markerContainerElement.innerHTML = '';

-        range.markerInfo.forEach(info => {
-            range.markerContainerElement.insertAdjacentHTML('beforeend', getMarkerHtml(info));
+        range.markerInfo.forEach(() => {
+            range.markerContainerElement.insertAdjacentHTML('beforeend', '<span class="sliderMarker" aria-hidden="true"></span>');
        });

        range.markerElements = range.markerContainerElement.querySelectorAll('.sliderMarker');