Encode HTML entities to prevent some XSS exploits.

CVE-2017-16567 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16567 https://www.exploit-db.com/exploits/43122/ CVE-2017-16568 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-16568 https://www.exploit-db.com/exploits/43123/ CVE-2017-15687 https://nvd.nist.gov/nvd.cfm?cvename=CVE-2017-15687 https://www.exploit-db.com/exploits/43024/
LMS-Community · Nov 15, 2017 · 3f2a4dd · 3f2a4dd
1 parent cf09b99
commit 3f2a4dd
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 6 deletions.
diff --git a/HTML/Default/home.html b/HTML/Default/home.html
@@ -144,7 +144,7 @@
 						</span>
 						<div class="smallBrowseItemDetail">
 					[% END %]
-					[% IF dontGetString; link.key; ELSE; string; END %]
+					[% IF dontGetString; link.key | html; ELSE; string | html; END %]
 					[% IF link.icon && !noIcon %]
 						</div>
 					[% END %]

diff --git a/Slim/Plugin/Favorites/HTML/EN/plugins/Favorites/index.html b/Slim/Plugin/Favorites/HTML/EN/plugins/Favorites/index.html
@@ -11,7 +11,7 @@
 				<input type="hidden" name="sess" value="[% sess %]">
 				<input type="hidden" name="action" value="editset">
 				<input type="hidden" name="removeoncancel" value="[% removeoncancel %]">
-				<input id="edit_title_[% entry.index %]" style="width: 71%;" type="text" class="stdedit" name="entrytitle" value="[% entry.title %]" [% IF newlevel %] onClick="this.value=''"[% END %]>
+				<input id="edit_title_[% entry.index %]" style="width: 71%;" type="text" class="stdedit" name="entrytitle" value="[% entry.title | html %]" [% IF newlevel %] onClick="this.value=''"[% END %]>
 				[% IF useAJAX %]
 					<input type="button" class="stdclick" style="display: inline; width: 10%;" value=[% "SAVE" | string %] onclick="editSave('[% entry.index %]', '[% sess %]'); return false;" />
 					<input type="button" class="stdclick" style="display: inline; width: 10%;" value=[% "PLUGIN_FAVORITES_CANCEL" | string %] onclick="editCancel('[% entry.index %]', '[% sess %]'[% IF removeoncancel %],[% removeoncancel %][% END %]); return false;" />
@@ -29,7 +29,7 @@
 						<input type="hidden" name="sess" value="[% sess %]">
 						<input type="hidden" name="action" value="editset">
 						<input type="hidden" name="removeoncancel" value="[% removeoncancel %]">
-						<input id="edit_title_[% entry.index %]" size="25" type="text" class="stdedit" name="entrytitle" value="[% entry.title %]" [% IF newentry %] onClick="this.value=''"[% END %]>
+						<input id="edit_title_[% entry.index %]" size="25" type="text" class="stdedit" name="entrytitle" value="[% entry.title | html %]" [% IF newentry %] onClick="this.value=''"[% END %]>
 					</td>
 					<td width="35%">
 						<input id="edit_url_[% entry.index %]" size="25" type="text" class="stdedit" name="entryurl" value="[% entry.url %]" [% IF newentry %] onClick="this.value=''"[% END %]>
@@ -55,7 +55,7 @@ <h4><form id="title" name="title" method="get" action="[% webroot %]plugins/Favo
 	[% "TITLE" | string %]
 	<input type="hidden" name="sess" value="[% sess %]">
 	<input type="hidden" name="index" value="[% levelindex %]">
-	<input id="newtitle" type="text" class="stdedit" name="title" style="width: 70%;" value="[% title %]" [% IF newentry %] onClick="this.value=''"[% END %] >
+	<input id="newtitle" type="text" class="stdedit" name="title" style="width: 70%;" value="[% title | html %]" [% IF newentry %] onClick="this.value=''"[% END %] >
 	<input type="submit" class="stdclick" value="[% 'SAVE' | string %]">
 	[% IF useAJAX %]
 		<input type="button" class="stdclick" style="display: inline; width: 10%;" value="[% 'PLUGIN_FAVORITES_CANCEL' | string %]" onclick="cancelTitle([% entry.index %]); return false;" />
@@ -122,7 +122,7 @@ <h4><form id="title" name="title" method="get" action="[% webroot %]plugins/Favo
 [% BLOCK entryblock -%]
 	[%- WRAPPER contentitem leftcontrols = 'playcontrols' rightcontrols = 'editcontrols' itemobj.id = entry.index %]
 		<a id="dragitemhref_[% entry.index %]" href="[% webroot %]plugins/Favorites/index.html?index=[% entry.index %]&amp;player=[% playerURI %]&amp;sess=[% sess %]" class="browseItemLink">
-			<span id="dragitemtitle_[% entry.index %]" class = "favoritesText">[% entry.title %]</span>
+			<span id="dragitemtitle_[% entry.index %]" class = "favoritesText">[% entry.title | html %]</span>
 		</a>
 	[% END -%]
 [% END %]
@@ -214,7 +214,7 @@ <h4><form id="title" name="title" method="get" action="[% webroot %]plugins/Favo
 		     href="javascript:void(0);" onClick="ajaxUpdate('index.html', 'insert&amp;index=[% levelindex %]&amp;sess=[% sess %]'[% IF initCall; ', ' _ initCall; END %]);" class="browseItemLink"
 		   [%- ELSE %]
 		     href="[% webroot %]plugins/Favorites/index.html?insert&amp;index=[% levelindex %]&amp;sess=[% sess %]"
-		   [%- END %]><b><I>[% "PLUGIN_FAVORITES_PASTE" | string %]</b> [ [% deleted %] ]</I></a>
+		   [%- END %]><b><I>[% "PLUGIN_FAVORITES_PASTE" | string %]</b> [ [% deleted | html %] ]</I></a>
 
 	[% END %]
 	[% IF useAJAX %]</span>[% END %]