WildDragonLLC/dragonflight
1
0
Fork 0
Code Issues 32 Pull requests 7 Projects Releases Packages Wiki Activity Actions

fix: XSS in renderTags and stale api.js version in player.html

Browse source 
Tag values were inserted into innerHTML unsanitized — a tag containing
HTML would execute as markup. Switch to DOM-only construction for the
tag badges. Also bump api.js cache-buster to v=6.
This commit is contained in:
Zac Gaetano 2026-05-19 00:30:54 -04:00
parent f1e0453b0a
commit 280fc9dff2
1 changed files with 12 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
services/web-ui/public/player.html
View file

@ -304,7 +304,7 @@
</footer> </footer>
</div> </div>
<script src="/js/api.js?v=5"></script> <script src="/js/api.js?v=6"></script>
<script src="/js/topbar-strip.js?v=1"></script> <script src="/js/topbar-strip.js?v=1"></script>
<script> <script>
// ============================================================ // ============================================================
@ -407,10 +407,17 @@
playerState.tags.forEach((tag, index) => { playerState.tags.forEach((tag, index) => {
const badge = document.createElement('div'); const badge = document.createElement('div');
badge.className = 'tag-badge'; badge.className = 'tag-badge';
badge.innerHTML = `
<span>${tag}</span> const tagSpan = document.createElement('span');
<span class="tag-remove" onclick="removeTag(${index})">×</span> tagSpan.textContent = tag;
`;
const removeSpan = document.createElement('span');
removeSpan.className = 'tag-remove';
removeSpan.textContent = '×';
removeSpan.onclick = () => removeTag(index);
badge.appendChild(tagSpan);
badge.appendChild(removeSpan);
container.appendChild(badge); container.appendChild(badge);
}); });
} }