From 9cbeddae8fc6fb729ab8fc2e2c79b39edd0caea6 Mon Sep 17 00:00:00 2001
From: Deluan <deluan@navidrome.org>
Date: Thu, 5 Nov 2020 12:32:39 -0500
Subject: [PATCH] Avoid cross-site scripting

See: https://lgtm.com/rules/1510377426397/
---
 server/app/playlists.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/server/app/playlists.go b/server/app/playlists.go
index a480118ca..e72a16f73 100644
--- a/server/app/playlists.go
+++ b/server/app/playlists.go
@@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"html"
 	"net/http"
 	"strconv"
 	"strings"
@@ -123,7 +124,7 @@ func addToPlaylist(ds model.DataStore) http.HandlerFunc {
 		}
 
 		// Must return an object with an ID, to satisfy ReactAdmin `create` call
-		_, err = w.Write([]byte(fmt.Sprintf(`{"id":"%s"}`, playlistId)))
+		_, err = fmt.Fprintf(w, `{"id":"%s"}`, html.EscapeString(playlistId))
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 		}