mirrors/jellyfin-web
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web synced 2025-03-30 19:56:21 +00:00
Code Activity

Backport pull request #4657 from jellyfin/release-10.8.z

Browse source 
Fix xss in custom subtitles element

Original-merge: 5cc91f2ee0

Merged-by: Bill Thornton <thornbill@users.noreply.github.com>

Backported-by: Bill Thornton <thornbill@users.noreply.github.com>
This commit is contained in:
Bill Thornton 2023-07-02 02:06:26 -04:00
parent b372953671
commit ba0acc6b04
1 changed files with 4 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

5
src/plugins/htmlVideoPlayer/plugin.js
View file

@ -1,3 +1,5 @@
import DOMPurify from 'dompurify';
import browser from '../../scripts/browser';
import { appHost } from '../../components/apphost';
import loading from '../../components/loading/loading';
@ -1535,7 +1537,8 @@ export class HtmlVideoPlayer {
}
if (selectedTrackEvent && selectedTrackEvent.Text) {
subtitleTextElement.innerHTML = normalizeTrackEventText(selectedTrackEvent.Text, true);
subtitleTextElement.innerHTML = DOMPurify.sanitize(
normalizeTrackEventText(selectedTrackEvent.Text, true));
subtitleTextElement.classList.remove('hide');
} else {
subtitleTextElement.classList.add('hide');