diff --git a/server/controllers/client.ts b/server/controllers/client.ts
index e3c962058..6a2ac4aab 100644
--- a/server/controllers/client.ts
+++ b/server/controllers/client.ts
@@ -10,7 +10,7 @@ import {
STATIC_MAX_AGE,
OPENGRAPH_AND_OEMBED_COMMENT
} from '../initializers'
-import { root, readFileBufferPromise } from '../helpers'
+import { root, readFileBufferPromise, escapeHTML } from '../helpers'
import { VideoInstance } from '../models'
const clientsRouter = express.Router()
@@ -47,21 +47,24 @@ function addOpenGraphAndOEmbedTags (htmlStringPage: string, video: VideoInstance
const previewUrl = CONFIG.WEBSERVER.URL + STATIC_PATHS.PREVIEWS + video.getPreviewName()
const videoUrl = CONFIG.WEBSERVER.URL + '/videos/watch/' + video.uuid
+ const videoName = escapeHTML(video.name)
+ const videoDescription = escapeHTML(video.description)
+
const openGraphMetaTags = {
'og:type': 'video',
- 'og:title': video.name,
+ 'og:title': videoName,
'og:image': previewUrl,
'og:url': videoUrl,
- 'og:description': video.description,
+ 'og:description': videoDescription,
- 'name': video.name,
- 'description': video.description,
+ 'name': videoName,
+ 'description': videoDescription,
'image': previewUrl,
'twitter:card': 'summary_large_image',
'twitter:site': '@Chocobozzz',
- 'twitter:title': video.name,
- 'twitter:description': video.description,
+ 'twitter:title': videoName,
+ 'twitter:description': videoDescription,
'twitter:image': previewUrl
}
@@ -69,7 +72,7 @@ function addOpenGraphAndOEmbedTags (htmlStringPage: string, video: VideoInstance
{
type: 'application/json+oembed',
href: CONFIG.WEBSERVER.URL + '/services/oembed?url=' + encodeURIComponent(videoUrl),
- title: video.name
+ title: videoName
}
]
diff --git a/server/helpers/core-utils.ts b/server/helpers/core-utils.ts
index 3118dc500..33bbdca8b 100644
--- a/server/helpers/core-utils.ts
+++ b/server/helpers/core-utils.ts
@@ -38,6 +38,22 @@ function root () {
return join.apply(null, paths)
}
+// Thanks: https://stackoverflow.com/a/12034334
+function escapeHTML (stringParam) {
+ const entityMap = {
+ '&': '&',
+ '<': '<',
+ '>': '>',
+ '"': '"',
+ "'": ''',
+ '/': '/',
+ '`': '`',
+ '=': '='
+ }
+
+ return String(stringParam).replace(/[&<>"'`=\/]/g, s => entityMap[s])
+}
+
function promisify0 (func: (cb: (err: any, result: A) => void) => void): () => Promise {
return function promisified (): Promise {
return new Promise((resolve: (arg: A) => void, reject: (err: any) => void) => {
@@ -101,6 +117,7 @@ const statPromise = promisify1(stat)
export {
isTestInstance,
root,
+ escapeHTML,
promisify0,
promisify1,