From d12dcc2cbdf08ec49ec162938a738994814e4cdd Mon Sep 17 00:00:00 2001
From: Nick Pakhodnia <nick.pohodnya@gmail.com>
Date: Thu, 21 May 2026 09:17:22 -0400
Subject: [PATCH] readerjs </script> breakout

---
 modules/api/views.js | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/modules/api/views.js b/modules/api/views.js
index 00bdbe74a..c555d1136 100644
--- a/modules/api/views.js
+++ b/modules/api/views.js
@@ -302,10 +302,18 @@ export default function(app) {
 
             var htmlArray = (html || "").match(/.{1,8191}/g) || "";
 
+            // Emitted raw inside a <script> in readerjs.ejs. JSON.stringify does
+            // not escape "<", so a value containing "</script>" would break out of
+            // the script element (XSS). Escape "<" to its < JS escape, which
+            // is inert in HTML but decodes back to "<" in JS.
+            function jsonForScript(value) {
+                return JSON.stringify(value).replace(/</g, '\\u003c');
+            }
+
             var context = {
-                embedCode: JSON.stringify(htmlArray),
+                embedCode: jsonForScript(htmlArray),
                 widgetId: JSON.stringify(1),
-                uri: JSON.stringify(uri)
+                uri: jsonForScript(uri)
             };
 
             res.renderCached("readerjs.ejs", context, {