From a10c8a377572ab36413256750203baa8efb5f8b4 Mon Sep 17 00:00:00 2001 From: Greg Hormann Date: Sun, 27 Jun 2021 14:55:51 -0400 Subject: [PATCH] Removes any html tags (or data between "<" and ">" in playlist arguments This appears to be safe to me. We do allow arguments to be sent to scripts, and this would prevent ">" from being used, but I think that is a good thing. Releated to https://www.huntr.dev/bounties/30-other-FalconChristmas/fpp/ --- www/js/fpp.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/www/js/fpp.js b/www/js/fpp.js index de32143c2..0a06a85a2 100644 --- a/www/js/fpp.js +++ b/www/js/fpp.js @@ -1761,7 +1761,7 @@ function AddPlaylistEntry(mode) { } pe[a.name] = arr; } else if ((a.type == 'string') || (a.type == 'file')) { - pe[a.name] = $('#playlistEntryOptions').find('.arg_' + a.name).val(); + pe[a.name] = $('#playlistEntryOptions').find('.arg_' + a.name).val().replace(/<\/?[^>]+(>|$)/g, ""); } else { pe[a.name] = $('#playlistEntryOptions').find('.arg_' + a.name).html(); }