mirrors/jellyfin-web
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin-web synced 2025-03-30 19:56:21 +00:00
Code Activity

Fix xss in api key page

Browse source
This commit is contained in:
Bill Thornton 2023-05-12 00:13:12 -04:00
parent 4475b742d3
commit f8334c64ba
1 changed files with 5 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
src/controllers/dashboard/apikeys.js
View file

@ -1,3 +1,5 @@
import escapeHTML from 'escape-html';
import datetime from '../../scripts/datetime'; import datetime from '../../scripts/datetime';
import loading from '../../components/loading/loading'; import loading from '../../components/loading/loading';
import dom from '../../scripts/dom'; import dom from '../../scripts/dom';
@ -23,13 +25,13 @@ function renderKeys(page, keys) {
let html = ''; let html = '';
html += '<tr class="detailTableBodyRow detailTableBodyRow-shaded">'; html += '<tr class="detailTableBodyRow detailTableBodyRow-shaded">';
html += '<td class="detailTableBodyCell">'; html += '<td class="detailTableBodyCell">';
html += '<button type="button" is="emby-button" data-token="' + item.AccessToken + '" class="raised raised-mini btnRevoke" data-mini="true" title="' + globalize.translate('ButtonRevoke') + '" style="margin:0;">' + globalize.translate('ButtonRevoke') + '</button>'; html += '<button type="button" is="emby-button" data-token="' + escapeHTML(item.AccessToken) + '" class="raised raised-mini btnRevoke" data-mini="true" title="' + globalize.translate('ButtonRevoke') + '" style="margin:0;">' + globalize.translate('ButtonRevoke') + '</button>';
html += '</td>'; html += '</td>';
html += '<td class="detailTableBodyCell" style="vertical-align:middle;">'; html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
html += item.AccessToken; html += escapeHTML(item.AccessToken);
html += '</td>'; html += '</td>';
html += '<td class="detailTableBodyCell" style="vertical-align:middle;">'; html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
html += item.AppName || ''; html += escapeHTML(item.AppName) || '';
html += '</td>'; html += '</td>';
html += '<td class="detailTableBodyCell" style="vertical-align:middle;">'; html += '<td class="detailTableBodyCell" style="vertical-align:middle;">';
const date = datetime.parseISO8601Date(item.DateCreated, true); const date = datetime.parseISO8601Date(item.DateCreated, true);