[Web Interface] Fix HTML injection via "currently playing"

- Would have been exploitable with malicious titles in youtube, etc.
2018-05-21 11:14:59 +02:00
parent f557ca9a14
commit d858c950ad
2 changed files with 21 additions and 10 deletions
--- a/templates/index.html
+++ b/templates/index.html
@@ -77,7 +77,10 @@
 <div id="playlist">
    Currently Playing :
    {% if current_music %}
-    {{ current_music|safe }}
+    {{ current_music[0] }} {{ current_music[1] }}
+    {% if current_music[2] %}
+        (<a href="{{ current_music[2] }}">{{ current_music[2] }}</a>)
+    {% endif %}
    {% else %}
    No music
    {% endif %}