Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request from GHSA-89hp-h43h-r5pq
Escape device id in raw HTML
  • Loading branch information
joshuaboniface committed Apr 23, 2023
2 parents cf0cf93 + bd480aa commit b88a595
Show file tree
Hide file tree
Showing 2 changed files with 5 additions and 3 deletions.
7 changes: 4 additions & 3 deletions src/controllers/dashboard/devices/devices.js
Expand Up @@ -96,11 +96,12 @@ import confirm from '../../../components/confirm/confirm';
let html = '';
html += devices.map(function (device) {
let deviceHtml = '';
deviceHtml += "<div data-id='" + device.Id + "' class='card backdropCard'>";
deviceHtml += "<div data-id='" + escapeHtml(device.Id) + "' class='card backdropCard'>";
deviceHtml += '<div class="cardBox visualCardBox">';
deviceHtml += '<div class="cardScalable">';
deviceHtml += '<div class="cardPadder cardPadder-backdrop"></div>';
deviceHtml += `<a is="emby-linkbutton" href="${canEdit ? '#!/device.html?id=' + device.Id : '#'}" class="cardContent cardImageContainer ${cardBuilder.getDefaultBackgroundClass()}">`;
deviceHtml += `<a is="emby-linkbutton" href="${canEdit ? '#!/device.html?id=' + escapeHtml(device.Id) : '#'}" class="cardContent cardImageContainer ${cardBuilder.getDefaultBackgroundClass()}">`;
// audit note: getDeviceIcon returns static text
const iconUrl = imageHelper.getDeviceIcon(device);

if (iconUrl) {
Expand All @@ -116,7 +117,7 @@ import confirm from '../../../components/confirm/confirm';

if (canEdit || canDelete(device.Id)) {
deviceHtml += '<div style="text-align:right; float:right;padding-top:5px;">';
deviceHtml += '<button type="button" is="paper-icon-button-light" data-id="' + device.Id + '" title="' + globalize.translate('Menu') + '" class="btnDeviceMenu"><span class="material-icons more_vert" aria-hidden="true"></span></button>';
deviceHtml += '<button type="button" is="paper-icon-button-light" data-id="' + escapeHtml(device.Id) + '" title="' + globalize.translate('Menu') + '" class="btnDeviceMenu"><span class="material-icons more_vert" aria-hidden="true"></span></button>';
deviceHtml += '</div>';
}

Expand Down
1 change: 1 addition & 0 deletions src/scripts/imagehelper.js
@@ -1,5 +1,6 @@

/* eslint-disable indent */
// audit note: this module is expected to return safe text for use in HTML

export function getDeviceIcon(device) {
const baseUrl = 'assets/img/devices/';
Expand Down

0 comments on commit b88a595

Please sign in to comment.