From 99822d6ac6c8f0b223b47e6e29df48624b0b395d Mon Sep 17 00:00:00 2001
From: Fabio Ambauen <1833932+open-dynaMIX@users.noreply.github.com>
Date: Tue, 29 Dec 2020 20:05:19 +0100
Subject: [PATCH] fix(js): sanitize metadata in order to prevent unlikely XSS

This commit makes sure that media metadata is sanitized before usage in
HTML. This prevents a theoretical XSS. An attacker would need to be able
to modify the media file played by MPV.

Thanks to [@marben-olvbar](https://github.com/marben-olvbar) for
pointing this out.
---
 webui-page/webui.js | 27 +++++++++++++++++++++------
 1 file changed, 21 insertions(+), 6 deletions(-)

diff --git a/webui-page/webui.js b/webui-page/webui.js
index bf0cc771..79e515fa 100644
--- a/webui-page/webui.js
+++ b/webui-page/webui.js
@@ -355,6 +355,21 @@ function setTrackList(tracklist) {
   document.getElementById("nextAudio").innerText = 'Next audio ' + window.audios.selected + '/' + window.audios.count;
 }
 
+function sanitize(string) {
+  // https://stackoverflow.com/a/48226843
+  const map = {
+      '&': '&amp;',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      "'": '&#x27;',
+      "/": '&#x2F;',
+      "`": '&grave;',
+  };
+  const reg = /[&<>"'/`]/ig;
+  return string.replace(reg, (match)=>(map[match]));
+}
+
 function setMetadata(metadata, playlist, filename) {
   // try to gather the track number
   let track = '';
@@ -375,25 +390,25 @@ function setMetadata(metadata, playlist, filename) {
   // 3. metadata['TITLE']
   // 4. filename
   if (pl_title) {
-    window.metadata.title = track + pl_title;
+    window.metadata.title = sanitize(track + pl_title);
   } else if (metadata['title']) {
-    window.metadata.title = track + metadata['title'];
+    window.metadata.title = track + sanitize(metadata['title']);
   } else if (metadata['TITLE']) {
-    window.metadata.title = track + metadata['TITLE'];
+    window.metadata.title = track + sanitize(metadata['TITLE']);
   } else {
-    window.metadata.title = track + filename;
+    window.metadata.title = track + sanitize(filename);
   }
 
   // set the artist
   if (metadata['artist']) {
-    window.metadata.artist = metadata['artist'];
+    window.metadata.artist = sanitize(metadata['artist']);
   } else {
     window.metadata.artist = ''
   }
 
   // set the album
   if (metadata['album']) {
-    window.metadata.album = metadata['album'];
+    window.metadata.album = sanitize(metadata['album']);
   } else {
     window.metadata.album = ''
   }