mirrors
/
navidrome
mirror of https://github.com/navidrome/navidrome.git
2
0
Fork 0
Code Issues Projects Releases Wiki Activity

Avoid cross-site scripting 

See: https://lgtm.com/rules/1510377426397/
This commit is contained in:
Deluan 2020-11-05 12:32:39 -05:00
parent c9b119f0a4
commit 9cbeddae8f
1 changed files with 2 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
server/app/playlists.go
View File

@ -4,6 +4,7 @@ import (
"context"
"encoding/json"
"fmt"
"html"
"net/http"
"strconv"
"strings"
@ -123,7 +124,7 @@ func addToPlaylist(ds model.DataStore) http.HandlerFunc {
}
// Must return an object with an ID, to satisfy ReactAdmin `create` call
_, err = w.Write([]byte(fmt.Sprintf(`{"id":"%s"}`, playlistId)))
_, err = fmt.Fprintf(w, `{"id":"%s"}`, html.EscapeString(playlistId))
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}