Merge pull request #3 from BafDyce/fix-html-injection

[Web Interface] Fix HTML injection via "currently playing"

interface.py

@@ -98,21 +98,29 @@ def index():
                 random.shuffle(var.playlist)
     if var.current_music:
         source = var.current_music[0]
+        # format for current_music below:
+        # (sourcetype, title, url or None)
         if source == "radio":
-            current_music = "[radio] {title} sur {url}".format(
+            current_music = (
-                title=media.get_radio_title(var.current_music[1]),
+                "[radio]",
-                url=var.current_music[2]
+                media.get_radio_title(var.current_music[1]),
+                var.current_music[2]
             )
         elif source == "url":
-            current_music = "[url] {title} (<a href=\"{url}\">{url}</a>)".format(
+            current_music = (
-                title=var.current_music[2],
+                "[url]",
-                url=var.current_music[1]
+                var.current_music[2],
+                var.current_music[1]
             )
         elif source == "file":
-            current_music = "[file] {title}".format(title=var.current_music[2])
+            current_music = (
+                "[file]",
+                var.current_music[2],
+                None
+            )
         else:
-            current_music = "(?)[{}] {} {}".format(
+            current_music = (
-                var.current_music[0],
+                "(??)[" + var.current_music[0] + "]",
                 var.current_music[1],
                 var.current_music[2],
             )

templates/index.html

@@ -77,7 +77,10 @@
 <div id="playlist">
     Currently Playing :
     {% if current_music %}
-    {{ current_music|safe }}
+    {{ current_music[0] }} {{ current_music[1] }}
+    {% if current_music[2] %}
+        (<a href="{{ current_music[2] }}">{{ current_music[2] }}</a>)
+    {% endif %}
     {% else %}
     No music
     {% endif %}