From cf558d57c54a463129246f34114a8b10f5c13bb8 Mon Sep 17 00:00:00 2001
From: Vladimir Barinov <veselcraft@icloud.com>
Date: Fri, 10 Feb 2023 08:46:29 +0200
Subject: [PATCH] =?UTF-8?q?Fix=20funny=20xss=20thing=20(not=20tested=20sin?=
 =?UTF-8?q?ve=20since=20im=20in=20hospital=20=F0=9F=92=80)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Web/static/js/openvk.cls.js | 12 ++++++++++++
 Web/static/js/player.js     |  2 ++
 2 files changed, 14 insertions(+)

diff --git a/Web/static/js/openvk.cls.js b/Web/static/js/openvk.cls.js
index 7532a1ad..0ecc385e 100644
--- a/Web/static/js/openvk.cls.js
+++ b/Web/static/js/openvk.cls.js
@@ -428,6 +428,18 @@ function showIncreaseRatingDialog(coinsCount, userUrl, hash) {
     };
 }
 
+function escapeHtml(text) {
+    var map = {
+      '&': '&amp;',
+      '<': '&lt;',
+      '>': '&gt;',
+      '"': '&quot;',
+      "'": '&#039;'
+    };
+    
+    return text.replace(/[&<>"']/g, function(m) { return map[m]; });
+}
+
 $(document).on("scroll", () => {
     if($(document).scrollTop() > $(".sidebar").height() + 50) {
         $(".floating_sidebar")[0].classList.add("show");
diff --git a/Web/static/js/player.js b/Web/static/js/player.js
index 8bb0f316..c1ae1919 100644
--- a/Web/static/js/player.js
+++ b/Web/static/js/player.js
@@ -16,6 +16,8 @@ function _bsdnToHumanTime(time) {
 }
 
 function _bsdnTpl(name, author) {
+    name = escapeHtml(name);
+
     return `
             <div class="bsdn_contextMenu" style="display: none;">
                 <span class="bsdn_contextMenuElement bsdn_copyVideoUrl">Copy video link to clipboard</span>