fixes #1075 - XSS in "Active Devices" Panel of Admin Dashboard

9 years ago · 9c3119808b
parent da5fc95612
commit 9c3119808b
1 changed files with 12 additions and 1 deletions
--- a/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@ -175,11 +175,22 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security

                if (param.Length == 2)
                {
-                    result.Add(param[0], param[1].Trim(new[] { '"' }));
+					var value = NormalizeValue (param[1].Trim(new[] { '"' }));
+                    result.Add(param[0], value);
                }
            }

            return result;
        }
+
+		private string NormalizeValue(string value)
+		{
+			if (string.IsNullOrWhiteSpace (value)) 
+			{
+				return value;
+			}
+
+			return System.Net.WebUtility.HtmlEncode(value);
+		}
    }
 }