From 55f5a78f5e7f03076c79b5c9d5d3356e8ec3dbbd Mon Sep 17 00:00:00 2001
From: Vincent Lark <v.lark@astonitf.com>
Date: Thu, 26 Oct 2023 18:54:50 +0200
Subject: [PATCH] Use escapeHTML on book chapter titles

---
 src/plugins/bookPlayer/tableOfContents.js | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/plugins/bookPlayer/tableOfContents.js b/src/plugins/bookPlayer/tableOfContents.js
index 15c19e89d08..4c2012d0ec3 100644
--- a/src/plugins/bookPlayer/tableOfContents.js
+++ b/src/plugins/bookPlayer/tableOfContents.js
@@ -1,3 +1,4 @@
+import escapeHTML from 'escape-html';
 import dialogHelper from '../../components/dialogHelper/dialogHelper';
 
 export default class TableOfContents {
@@ -56,7 +57,7 @@ export default class TableOfContents {
 
         // remove parent directory reference from href to fix certain books
         const link = chapter.href.startsWith('../') ? chapter.href.slice(3) : chapter.href;
-        itemHtml += `<a href="${book.path.directory + link}">${chapter.label}</a>`;
+        itemHtml += `<a href="${escapeHTML(book.path.directory + link)}">${escapeHTML(chapter.label)}</a>`;
 
         if (chapter.subitems?.length) {
             const subHtml = chapter.subitems