From b663a2fb90ff5e478fc0f56e03c2f134ea1502e4 Mon Sep 17 00:00:00 2001
From: jvoisin <jvoisin@users.noreply.github.com>
Date: Sun, 28 Apr 2019 08:49:25 +0000
Subject: [PATCH] Fix a stored XSS

---
 .../src/main/webapp/WEB-INF/jsp/transcodingSettings.jsp       | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/airsonic-main/src/main/webapp/WEB-INF/jsp/transcodingSettings.jsp b/airsonic-main/src/main/webapp/WEB-INF/jsp/transcodingSettings.jsp
index 3d470f17..925939b7 100644
--- a/airsonic-main/src/main/webapp/WEB-INF/jsp/transcodingSettings.jsp
+++ b/airsonic-main/src/main/webapp/WEB-INF/jsp/transcodingSettings.jsp
@@ -27,7 +27,7 @@
 
     <c:forEach items="${model.transcodings}" var="transcoding">
         <tr>
-            <td><input class="monospace" name="name[${transcoding.id}]" size="10" value="${transcoding.name}"/></td>
+            <td><input class="monospace" name="name[${transcoding.id}]" size="10" value="${fn:escapeXml(transcoding.name)}"/></td>
             <td><input class="monospace" name="sourceFormats[${transcoding.id}]" size="36" value="${transcoding.sourceFormats}"/></td>
             <td><input class="monospace" name="targetFormat[${transcoding.id}]" size="10" value="${transcoding.targetFormat}"/></td>
             <td><input class="monospace" name="step1[${transcoding.id}]" size="60" value="${transcoding.step1}"/></td>
@@ -41,7 +41,7 @@
     </tr>
 
     <tr>
-        <td><input class="monospace" name="name" size="10" placeholder="<fmt:message key="transcodingsettings.name"/>" value="${newTranscoding.name}"/></td>
+        <td><input class="monospace" name="name" size="10" placeholder="<fmt:message key="transcodingsettings.name"/>" value="${fn:escapeXml(newTranscoding.name)}"/></td>
         <td><input class="monospace" name="sourceFormats" size="36" placeholder="<fmt:message key="transcodingsettings.sourceformat"/>" value="${newTranscoding.sourceFormats}"/></td>
         <td><input class="monospace" name="targetFormat" size="10" placeholder="<fmt:message key="transcodingsettings.targetformat"/>" value="${newTranscoding.targetFormat}"/></td>
         <td><input class="monospace" name="step1" size="60" placeholder="<fmt:message key="transcodingsettings.step1"/>" value="${newTranscoding.step1}"/></td>