Item cards allow XSS via aria label #3788
Labels
bug
Something isn't working
regression
We broke something
security
This PR or issue mainly concerns security
Describe The Bug
The aria labels added to cards for accessibility in 10.8 do not properly strip html from item names.
Steps To Reproduce
"><img src=/X onerror=alert("xss")>).Expected Behavior
Any html should be escaped in the item name before using it as the label.
Logs
N/A
Screenshots
N/A
System (please complete the following information):
Additional Context
This security vulnerability was reported to Jellyfin by Christian Pöschl of usd AG following Jellyfin's security policy. The issue was reported as Advisory IDs usd-2022-0030 and usd-2022-0031.
The text was updated successfully, but these errors were encountered: