Skip to content

Commit

Permalink
fix(js): sanitize metadata in order to prevent unlikely XSS
Browse files Browse the repository at this point in the history 
This commit makes sure that media metadata is sanitized before usage in
HTML. This prevents a theoretical XSS. An attacker would need to be able
to modify the media file played by MPV.

Thanks to [@marben-olvbar](https://github.com/marben-olvbar) for
pointing this out.
  • Loading branch information
@open-dynaMIX
open-dynaMIX committed Dec 29, 2020
1 parent cf0378a commit 99822d6
Showing 1 changed file with 21 additions and 6 deletions.
27 changes: 21 additions & 6 deletions webui-page/webui.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -355,6 +355,21 @@ function setTrackList(tracklist) {
document.getElementById("nextAudio").innerText = 'Next audio ' + window.audios.selected + '/' + window.audios.count;
}

function sanitize(string) {
// https://stackoverflow.com/a/48226843
const map = {
'&': '&',
'<': '&lt;',
'>': '&gt;',
'"': '&quot;',
"'": '&#x27;',
"/": '&#x2F;',
"`": '&grave;',
};
const reg = /[&<>"'/`]/ig;
return string.replace(reg, (match)=>(map[match]));
}

function setMetadata(metadata, playlist, filename) {
// try to gather the track number
let track = '';
Expand All @@ -375,25 +390,25 @@ function setMetadata(metadata, playlist, filename) {
// 3. metadata['TITLE']
// 4. filename
if (pl_title) {
window.metadata.title = track + pl_title;
window.metadata.title = sanitize(track + pl_title);
} else if (metadata['title']) {
window.metadata.title = track + metadata['title'];
window.metadata.title = track + sanitize(metadata['title']);
} else if (metadata['TITLE']) {
window.metadata.title = track + metadata['TITLE'];
window.metadata.title = track + sanitize(metadata['TITLE']);
} else {
window.metadata.title = track + filename;
window.metadata.title = track + sanitize(filename);
}

// set the artist
if (metadata['artist']) {
window.metadata.artist = metadata['artist'];
window.metadata.artist = sanitize(metadata['artist']);
} else {
window.metadata.artist = ''
}

// set the album
if (metadata['album']) {
window.metadata.album = metadata['album'];
window.metadata.album = sanitize(metadata['album']);
} else {
window.metadata.album = ''
}
Expand Down

0 comments on commit 99822d6

Please sign in to comment.