Use escapeHTML on book chapter titles

jellyfin · Nov 8, 2023 · 55f5a78 · 55f5a78
1 parent 38d8caf
commit 55f5a78
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/src/plugins/bookPlayer/tableOfContents.js b/src/plugins/bookPlayer/tableOfContents.js
@@ -1,3 +1,4 @@
+import escapeHTML from 'escape-html';
 import dialogHelper from '../../components/dialogHelper/dialogHelper';
 
 export default class TableOfContents {
@@ -56,7 +57,7 @@ export default class TableOfContents {
 
         // remove parent directory reference from href to fix certain books
         const link = chapter.href.startsWith('../') ? chapter.href.slice(3) : chapter.href;
-        itemHtml += `<a href="${book.path.directory + link}">${chapter.label}</a>`;
+        itemHtml += `<a href="${escapeHTML(book.path.directory + link)}">${escapeHTML(chapter.label)}</a>`;
 
         if (chapter.subitems?.length) {
             const subHtml = chapter.subitems