fixes #1075 - XSS in "Active Devices" Panel of Admin Dashboard

author: Luke <luke.pulverenti@gmail.com> 2015-12-25 16:21:18 -0500
committer: Luke Pulverenti <luke.pulverenti@gmail.com> 2015-12-27 01:07:27 -0500
commit: 2fa34a236b322c0a9274b965c110446091c7dd57 (patch)
tree: f2f107d86035b19447bfa9e5d05f0f7d7ff45566 /MediaBrowser.Server.Implementations/HttpServer
parent: 94ec8d87b8479fa94dec579b2c04f3dfe3eba176 (diff)
1 files changed, 12 insertions, 1 deletions
diff --git a/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs b/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
index 509a00ff9..75d54a80a 100644
--- a/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
+++ b/MediaBrowser.Server.Implementations/HttpServer/Security/AuthorizationContext.cs
@@ -175,11 +175,22 @@ namespace MediaBrowser.Server.Implementations.HttpServer.Security
 
                 if (param.Length == 2)
                 {
-                    result.Add(param[0], param[1].Trim(new[] { '"' }));
+					var value = NormalizeValue (param[1].Trim(new[] { '"' }));
+                    result.Add(param[0], value);
                 }
             }
 
             return result;
         }
+
+		private string NormalizeValue(string value)
+		{
+			if (string.IsNullOrWhiteSpace (value)) 
+			{
+				return value;
+			}
+
+			return System.Net.WebUtility.HtmlEncode(value);
+		}
     }
 }
author	Luke <luke.pulverenti@gmail.com>	2015-12-25 16:21:18 -0500
committer	Luke Pulverenti <luke.pulverenti@gmail.com>	2015-12-27 01:07:27 -0500
commit	2fa34a236b322c0a9274b965c110446091c7dd57 (patch)
tree	f2f107d86035b19447bfa9e5d05f0f7d7ff45566 /MediaBrowser.Server.Implementations/HttpServer
parent	94ec8d87b8479fa94dec579b2c04f3dfe3eba176 (diff)