From 3b3d5b033aac3a019af64f83dec84f70ed2c8aba Mon Sep 17 00:00:00 2001
From: Alex X <alexey.khit@gmail.com>
Date: Thu, 11 Jan 2024 14:13:52 +0300
Subject: [PATCH] Add sanitize from XSS to WebUI

---
 www/index.html | 3 ++-
 www/links.html | 2 +-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/www/index.html b/www/index.html
index 69403e98..4e4f9992 100644
--- a/www/index.html
+++ b/www/index.html
@@ -124,7 +124,8 @@
         fetch(url, {cache: 'no-cache'}).then(r => r.json()).then(data => {
             tbody.innerHTML = '';
 
-            for (const [name, value] of Object.entries(data)) {
+            for (const [key, value] of Object.entries(data)) {
+                const name = key.replace(/[<">]/g, ''); // sanitize
                 const online = value && value.consumers ? value.consumers.length : 0;
                 const src = encodeURIComponent(name);
                 const links = templates.map(link => {
diff --git a/www/links.html b/www/links.html
index 25f7780a..bc9c08c3 100644
--- a/www/links.html
+++ b/www/links.html
@@ -43,7 +43,7 @@
 <script src="main.js"></script>
 <div id="links"></div>
 <script>
-    const src = new URLSearchParams(location.search).get('src');
+    const src = new URLSearchParams(location.search).get('src').replace(/[<">]/g, ''); // sanitize
 
     document.getElementById('links').innerHTML = `
         <h2>Any codec in source</h2>