From 895880aeb0be0813ddf732487596633f8f9fc3a6 Mon Sep 17 00:00:00 2001
From: ed <s@ocv.me>
Date: Sun, 27 Jul 2025 22:56:38 +0000
Subject: [PATCH] fix GHSA-9q4r-x2hj-jmvr ;

this fixes a DOM-Based XSS when rendering multimedia metadata

assuming the media-indexing option is enabled, a malicious media file
could be uploaded to the server by a privileged user, executing
arbitrary javascript on anyone visiting and viewing the directory

the same vulnerability could also be triggered through an
externally-hosted m3u file, by tricking a user into
clicking a link to load and play this m3u file

huge thanks to @altperfect for finding and reporting this!
---
 copyparty/web/browser.js | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/copyparty/web/browser.js b/copyparty/web/browser.js
index 51c19d2f..8820e3aa 100644
--- a/copyparty/web/browser.js
+++ b/copyparty/web/browser.js
@@ -7464,7 +7464,7 @@ var search_ui = (function () {
 				nodes = ['<tr><td>-</td><td><div>' + links + '</div>', sz];
 
 			for (var b = 0; b < tagord.length; b++) {
-				var k = tagord[b],
+				var k = esc(tagord[b]),
 					v = r.tags[k] || "";
 
 				if (k == ".dur") {
@@ -7473,7 +7473,7 @@ var search_ui = (function () {
 					continue;
 				}
 
-				nodes.push(v);
+				nodes.push(esc('' + v));
 			}
 
 			nodes = nodes.concat([ext, unix2iso(ts)]);
@@ -8362,7 +8362,7 @@ var treectl = (function () {
 					top + tn.href + '" id="' + id + '">' + hname + '</a>', tn.sz];
 
 			for (var b = 0; b < res.taglist.length; b++) {
-				var k = res.taglist[b],
+				var k = esc(res.taglist[b]),
 					v = (tn.tags || {})[k] || "",
 					sv = null;
 
@@ -8371,7 +8371,7 @@ var treectl = (function () {
 				else if (k == ".up_at")
 					sv = v ? unix2iso(v) : "";
 				else {
-					ln.push(v);
+					ln.push(esc('' + v));
 					continue;
 				}
 				ln[ln.length - 1] += '</td><td sortv="' + v + '">' + sv;