XSS in player.js

[mmiszczyk]

            tmp.onloadeddata = function () {
                playList.push({
                    index: gi,
                    song: file,
                    song_name: file,
                    duration: tmp.duration
                })
                song_list.append(`<li class="list">
            <span class="index">${playList[gi].index + 1}</span>
            <span class="song">${playList[gi].song_name}</span>
            <span class="duration">${toTime(playList[gi].duration)}</span>
            </li>`);

                    playList.push({
                        index: gi,
                        song: file,
                        song_name: metadata.title || file,
                        duration: metadata.duration
                    });
                    song_list.append(`<li class="list">
                    <span class="index">${playList[gi].index + 1}</span>
                    <span class="song">${playList[gi].song_name}</span>
                    <span class="duration">${toTime(playList[gi].duration)}</span>
                    </li>`);

This is not secure, as you can just insert your own HTML/js into filename or metadata and have it execute inside the application: e.g. edit any MP3 file and set title to <script>alert('xss')</script>, and the alert box will pop up when you select a folder containing the song.

[MD-AZMAL]

ya i will start working on it... i was kind of busy with other project.... couldn't respond..

[MD-AZMAL]

thanks for your feedback