Removes any html tags (or data between "<" and ">" in playlist arguments

This appears to be safe to me. We do allow arguments to be sent to scripts, and this would prevent ">" from being used, but I think that is a good thing. Releated to https://www.huntr.dev/bounties/30-other-FalconChristmas/fpp/
FalconChristmas · Jun 27, 2021 · a10c8a3 · a10c8a3
1 parent 09d6d3e
commit a10c8a3
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/www/js/fpp.js b/www/js/fpp.js
@@ -1761,7 +1761,7 @@ function AddPlaylistEntry(mode) {
             }
             pe[a.name] = arr;
         } else if ((a.type == 'string') || (a.type == 'file')) {
-            pe[a.name] = $('#playlistEntryOptions').find('.arg_' + a.name).val();
+            pe[a.name] = $('#playlistEntryOptions').find('.arg_' + a.name).val().replace(/<\/?[^>]+(>|$)/g, "");
         } else {
             pe[a.name] = $('#playlistEntryOptions').find('.arg_' + a.name).html();
         }