HTML escape video mimetype

Video mimetype may contain code information between double quotes. If not properly escaped, it breaks the browser's parser. E.g: ``` type="video/mp4; codecs=" avc1.64001f,="" mp4a.40.2""="" ``` Thank Robin for catching this!
author: Samantaz Fox <coding@samantaz.fr> 2021-09-13 18:20:11 +0200
committer: GitHub <noreply@github.com> 2021-09-13 18:20:11 +0200
commit: 947fe4fbb3f4c51820b8d07844579c2894eaee4f (patch)
tree: 22e761bb39ac7f5431a346242ff775659b03aa69
parent: 50c8afb525429dcdb5a9b9bb4cf798ee9f62da2a (diff)
download: invidious-947fe4fbb3f4c51820b8d07844579c2894eaee4f.tar.gz
invidious-947fe4fbb3f4c51820b8d07844579c2894eaee4f.tar.bz2
invidious-947fe4fbb3f4c51820b8d07844579c2894eaee4f.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/src/invidious/views/components/player.ecr b/src/invidious/views/components/player.ecr
index c520fb5a..6418f66b 100644
--- a/src/invidious/views/components/player.ecr
+++ b/src/invidious/views/components/player.ecr
@@ -23,7 +23,7 @@
                 src_url += "&local=true" if params.local
 
                 quality = fmt["quality"]
-                mimetype = fmt["mimeType"]
+                mimetype = HTML.escape(fmt["mimeType"].as_s)
 
                 selected = params.quality ? (params.quality == quality) : (i == 0)
             %>
author	Samantaz Fox <coding@samantaz.fr>	2021-09-13 18:20:11 +0200
committer	GitHub <noreply@github.com>	2021-09-13 18:20:11 +0200
commit	947fe4fbb3f4c51820b8d07844579c2894eaee4f (patch)
tree	22e761bb39ac7f5431a346242ff775659b03aa69
parent	50c8afb525429dcdb5a9b9bb4cf798ee9f62da2a (diff)
download	invidious-947fe4fbb3f4c51820b8d07844579c2894eaee4f.tar.gz invidious-947fe4fbb3f4c51820b8d07844579c2894eaee4f.tar.bz2 invidious-947fe4fbb3f4c51820b8d07844579c2894eaee4f.zip