jellyfin-web
jellyfin-web copied to clipboard
Fix chapter name XSS injection in progress bar
The chapter markers in the video player seekbar, introduced in 10.9, have some issues. First they add unsanitized user values to the seekbar (chapter name). And secondly, those names can be anything which could cause serious issues when they clash with existing CSS classes. I have no idea why we add these names as a class as this does not provide any benefit. For now, just add the specific className (which is currently always chapterMarker
).
Changes
- Fix chapter name XSS injection in progress bar
Issues Fixes #5561