Fix XSS in card aria labels

2025-03-30 19:56:21 +00:00 · 2022-08-02 13:51:20 -04:00 · 2022-08-02 13:51:20 -04:00 · eb4159788d
commit eb4159788d
parent 2feaff3648
1 changed files with 2 additions and 2 deletions
--- a/src/components/cardbuilder/cardBuilder.js
+++ b/src/components/cardbuilder/cardBuilder.js
@ -1347,7 +1347,7 @@ import ServerConnections from '../ServerConnections';
                cardImageContainerClose = '</div>';
            } else {
-                const cardImageContainerAriaLabelAttribute = ` aria-label="${item.Name}"`;
+                const cardImageContainerAriaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
                // Don't use the IMG tag with safari because it puts a white border around it
                cardImageContainerOpen = imgUrl ? ('<button data-action="' + action + '" class="' + cardImageContainerClass + ' ' + cardContentClass + ' itemAction lazy" data-src="' + imgUrl + '" ' + blurhashAttrib + cardImageContainerAriaLabelAttribute + '>') : ('<button data-action="' + action + '" class="' + cardImageContainerClass + ' ' + cardContentClass + ' itemAction"' + cardImageContainerAriaLabelAttribute + '>');
@ -1430,7 +1430,7 @@ import ServerConnections from '../ServerConnections';
            if (tagName === 'button') {
                className += ' itemAction';
                actionAttribute = ' data-action="' + action + '"';
-                ariaLabelAttribute = ` aria-label="${item.Name}"`;
+                ariaLabelAttribute = ` aria-label="${escapeHtml(item.Name)}"`;
            } else {
                actionAttribute = '';
            }