fix: XSS in renderTags and stale api.js version in player.html

Tag values were inserted into innerHTML unsanitized — a tag containing HTML would execute as markup. Switch to DOM-only construction for the tag badges. Also bump api.js cache-buster to v=6.
2026-05-19 00:30:54 -04:00 · 2026-05-19 00:30:54 -04:00 · 280fc9dff2
commit 280fc9dff2
parent f1e0453b0a
1 changed files with 12 additions and 5 deletions
--- a/services/web-ui/public/player.html
+++ b/services/web-ui/public/player.html
@ -304,7 +304,7 @@
        </footer>
    </div>

-    <script src="/js/api.js?v=5"></script>
+    <script src="/js/api.js?v=6"></script>
 <script src="/js/topbar-strip.js?v=1"></script>
    <script>
        // ============================================================
@ -407,10 +407,17 @@
            playerState.tags.forEach((tag, index) => {
                const badge = document.createElement('div');
                badge.className = 'tag-badge';
-                badge.innerHTML = `
-                    <span>${tag}</span>
-                    <span class="tag-remove" onclick="removeTag(${index})">×</span>
-                `;
+
+                const tagSpan = document.createElement('span');
+                tagSpan.textContent = tag;
+
+                const removeSpan = document.createElement('span');
+                removeSpan.className = 'tag-remove';
+                removeSpan.textContent = '×';
+                removeSpan.onclick = () => removeTag(index);
+
+                badge.appendChild(tagSpan);
+                badge.appendChild(removeSpan);
                container.appendChild(badge);
            });
        }