From 0a1f717b45601bcae7f14c3efd781b5e5f349292 Mon Sep 17 00:00:00 2001
From: mrilyew <99399973+mrilyew@users.noreply.github.com>
Date: Fri, 13 Dec 2024 16:43:34 +0300
Subject: [PATCH] fix(xss): fix #1181

---
 Web/Presenters/templates/Audio/Upload.xml | 6 +++---
 Web/static/js/al_music.js                 | 8 ++++----
 Web/static/js/al_wall.js                  | 2 +-
 Web/static/js/router.js                   | 8 ++++++++
 4 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/Web/Presenters/templates/Audio/Upload.xml b/Web/Presenters/templates/Audio/Upload.xml
index 8433ea6e..7be039d9 100644
--- a/Web/Presenters/templates/Audio/Upload.xml
+++ b/Web/Presenters/templates/Audio/Upload.xml
@@ -164,11 +164,11 @@
                         <tbody>
                             <tr>
                                 <td width="120" valign="top"><span class="nobold">${tr('performer')}:</span></td>
-                                <td><input value='${audio_element.info.performer}' name="performer" type="text" autocomplete="off" maxlength="80" /></td>
+                                <td><input value='${escapeHtml(audio_element.info.performer)}' name="performer" type="text" autocomplete="off" maxlength="80" /></td>
                             </tr>
                             <tr>
                                 <td width="120" valign="top"><span class="nobold">${tr('audio_name')}:</span></td>
-                                <td><input type="text" value='${audio_element.info.name}' name="name" autocomplete="off" maxlength="80" /></td>
+                                <td><input type="text" value='${escapeHtml(audio_element.info.name)}' name="name" autocomplete="off" maxlength="80" /></td>
                             </tr>
                             <tr>
                                 <td width="120" valign="top"><span class="nobold">${tr('genre')}:</span></td>
@@ -178,7 +178,7 @@
                             </tr>
                             <tr>
                                 <td width="120" valign="top"><span class="nobold">${tr('lyrics')}:</span></td>
-                                <td><textarea name="lyrics" style="resize: vertical;max-height: 300px;">${audio_element.info.lyrics}</textarea></td>
+                                <td><textarea name="lyrics" style="resize: vertical;max-height: 300px;">${escapeHtml(audio_element.info.lyrics)}</textarea></td>
                             </tr>
                             <tr>
                                 <td width="120" valign="top"></td>
diff --git a/Web/static/js/al_music.js b/Web/static/js/al_music.js
index 8b4b0a82..d9029763 100644
--- a/Web/static/js/al_music.js
+++ b/Web/static/js/al_music.js
@@ -1306,12 +1306,12 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
     MessageBox(tr("edit_audio"), `
         <div>
             ${tr("performer")}
-            <input name="performer" maxlength="256" type="text" value="${performer}">
+            <input name="performer" maxlength="256" type="text" value="${escapeHtml(performer)}">
         </div>
 
         <div style="margin-top: 11px">
             ${tr("audio_name")}
-            <input name="name" maxlength="256" type="text" value="${name}">
+            <input name="name" maxlength="256" type="text" value="${escapeHtml(name)}">
         </div>
 
         <div style="margin-top: 11px">
@@ -1359,7 +1359,7 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
                         
                         e.target.setAttribute("data-performer", escapeHtml(response.new_info.performer))
                         e.target.setAttribute("data-title", escapeHtml(response.new_info.name))
-                        e.target.setAttribute("data-lyrics", response.new_info.lyrics_unformatted)
+                        e.target.setAttribute("data-lyrics", escapeHtml(response.new_info.lyrics_unformatted))
                         e.target.setAttribute("data-explicit", Number(response.new_info.explicit))
                         e.target.setAttribute("data-searchable", Number(!response.new_info.unlisted))
                         player.setAttribute("data-genre", response.new_info.genre)
@@ -1374,7 +1374,7 @@ u(document).on("click", ".musicIcon.edit-icon", (e) => {
                             } else {
                                 player.insertAdjacentHTML("beforeend", `
                                     <div class="lyrics">
-                                        ${response.new_info.lyrics}
+                                        ${escapeHtml(response.new_info.lyrics)}
                                     </div>
                                 `)
     
diff --git a/Web/static/js/al_wall.js b/Web/static/js/al_wall.js
index 95aeebeb..06420ceb 100644
--- a/Web/static/js/al_wall.js
+++ b/Web/static/js/al_wall.js
@@ -2579,7 +2579,7 @@ async function changeStatus() {
         document.querySelector("#page_status_text").innerHTML = `[ ${tr("change_status")} ]`;
         document.querySelector("#page_status_text").className = "edit_link page_status_edit_button";
     } else {
-        document.querySelector("#page_status_text").innerHTML = status;
+        document.querySelector("#page_status_text").innerHTML = escapeHtml(status);
         document.querySelector("#page_status_text").className = "page_status page_status_edit_button";
     }
 
diff --git a/Web/static/js/router.js b/Web/static/js/router.js
index d72249c5..8ef87123 100644
--- a/Web/static/js/router.js
+++ b/Web/static/js/router.js
@@ -234,6 +234,10 @@ window.router = new class {
 }
 
 u(document).on('click', 'a', async (e) => {
+    if(e.defaultPrevented) {
+        return
+    }
+    
     const target = u(e.target).closest('a')
     const dom_url = target.attr('href')
     const id = target.attr('id')
@@ -289,6 +293,10 @@ u(document).on('click', 'a', async (e) => {
 })
 
 u(document).on('submit', 'form', async (e) => {
+    if(e.defaultPrevented) {
+        return
+    }
+
     if(u('#ajloader').hasClass('shown')) {
         e.preventDefault()
         return