diff options
| author | Luke <luke.pulverenti@gmail.com> | 2015-12-25 16:21:18 -0500 |
|---|---|---|
| committer | Luke Pulverenti <luke.pulverenti@gmail.com> | 2015-12-27 01:07:27 -0500 |
| commit | 2fa34a236b322c0a9274b965c110446091c7dd57 (patch) | |
| tree | f2f107d86035b19447bfa9e5d05f0f7d7ff45566 | |
| parent | 94ec8d87b8479fa94dec579b2c04f3dfe3eba176 (diff) | |
fixes #1075 - XSS in "Active Devices" Panel of Admin Dashboard
| -rw-r--r-- | MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs | 13 |
1 files changed, 12 insertions, 1 deletions
diff --git a/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs index 509a00ff9..75d54a80a 100644 --- a/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs +++ b/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs @@ -175,11 +175,22 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security if (param.Length == 2) { - result.Add(param[0], param[1].Trim(new[] { '"' })); + var value = NormalizeValue (param[1].Trim(new[] { '"' })); + result.Add(param[0], value); } } return result; } + + private string NormalizeValue(string value) + { + if (string.IsNullOrWhiteSpace (value)) + { + return value; + } + + return System.Net.WebUtility.HtmlEncode(value); + } } } |