Utilize escapeHtml

8 years ago · 0fb3b18a8f
4 changed files with 9 additions and 5 deletions
--- a/src/webui/www/public/scripts/client.js
+++ b/src/webui/www/public/scripts/client.js
@ -629,6 +629,10 @@ var loadTorrentPeersData = function(){
				@@ -629,6 +629,10 @@ var loadTorrentPeersData = function(){
                if (response['peers']) {
                    for (var key in response['peers']) {
                        response['peers'][key]['rowId'] = key;
+
+                        if (response['peers'][key]['client'])
+                            response['peers'][key]['client'] = escapeHtml(response['peers'][key]['client']);
+
                        torrentPeersTable.updateRowData(response['peers'][key]);
                    }
                }
--- a/src/webui/www/public/scripts/prop-files.js
+++ b/src/webui/www/public/scripts/prop-files.js
@ -311,7 +311,7 @@ var loadTorrentFilesData = function() {
				@@ -311,7 +311,7 @@ var loadTorrentFilesData = function() {
                    var row = new Array();
                    row.length = 4;
                    row[0] = file.priority;
-                    row[1] = file.name;
+                    row[1] = escapeHtml(file.name);
                    row[2] = friendlyUnit(file.size, false);
                    row[3] = (file.progress * 100).round(1);
                    if (row[3] == 100.0 && file.progress < 1.0)
--- a/src/webui/www/public/scripts/prop-general.js
+++ b/src/webui/www/public/scripts/prop-general.js
@ -130,7 +130,7 @@ var loadTorrentData = function() {
				@@ -130,7 +130,7 @@ var loadTorrentData = function() {
                    temp = "QBT_TR(Unknown)QBT_TR";
                $('pieces').set('html', temp);

-                $('created_by').set('html', data.created_by);
+                $('created_by').set('html', escapeHtml(data.created_by));
                if (data.addition_date != -1)
                    temp = new Date(data.addition_date * 1000).toLocaleString();
                else
@ -152,7 +152,7 @@ var loadTorrentData = function() {
				@@ -152,7 +152,7 @@ var loadTorrentData = function() {

                $('save_path').set('html', data.save_path);

-                $('comment').set('html', parseHtmlLinks(data.comment));
+                $('comment').set('html', parseHtmlLinks(escapeHtml(data.comment)));
            }
            else {
                clearData();
--- a/src/webui/www/public/scripts/prop-trackers.js
+++ b/src/webui/www/public/scripts/prop-trackers.js
@ -87,10 +87,10 @@ var loadTrackersData = function() {
				@@ -87,10 +87,10 @@ var loadTrackersData = function() {
                trackers.each(function(tracker) {
                    var row = new Array();
                    row.length = 4;
-                    row[0] = tracker.url;
+                    row[0] = escapeHtml(tracker.url);
                    row[1] = tracker.status;
                    row[2] = tracker.num_peers;
-                    row[3] = tracker.msg;
+                    row[3] = escapeHtml(tracker.msg);
                    tTable.insertRow(row);
                });
            }