From 25bf44d7adb6784cca1990112a2f4f35bf00a2f3 Mon Sep 17 00:00:00 2001 From: Omar Roth Date: Wed, 1 Aug 2018 16:07:47 -0500 Subject: [PATCH] HTML escape title on watch and embed pages --- src/invidious/views/embed.ecr | 4 ++-- src/invidious/views/watch.ecr | 10 +++++----- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/src/invidious/views/embed.ecr b/src/invidious/views/embed.ecr index b23917db..315d06af 100644 --- a/src/invidious/views/embed.ecr +++ b/src/invidious/views/embed.ecr @@ -14,7 +14,7 @@ -<%= video.title %> - Invidious +<%= HTML.escape(video.title) %> - Invidious @@ -82,7 +82,7 @@ var shareOptions = { socials: ["fb", "tw", "reddit", "mail"], url: "<%= host_url %>/<%= video.id %>?<%= host_params %>", - title: "<%= video.title %>", + title: "<%= HTML.escape(video.title) %>", description: "<%= description %>", image: '<%= thumbnail %>', embedCode: `