escape custom background image

2021-02-21 12:51:13 +01:00 · 2021-02-21 12:51:13 +01:00 · f883a809d5
parent 541da518a9
commit f883a809d5
1 changed files with 4 additions and 1 deletions
--- a/app/views/base/layout.scala
+++ b/app/views/base/layout.scala
@ -8,6 +8,7 @@ import lila.app.templating.Environment._
 import lila.app.ui.ScalatagsTemplate._
 import lila.common.String.html.safeJsonValue
 import lila.common.{ ContentSecurityPolicy, Nonce }
+import lila.common.base.StringUtils.escapeHtmlRaw

 object layout {

@ -225,7 +226,9 @@ object layout {
          ),
          ctx.currentBg == "transp" option ctx.pref.bgImgOrDefault map { img =>
            raw(
-              s"""<style id="bg-data">body.transp::before{background-image:url('$img');}</style>"""
+              s"""<style id="bg-data">body.transp::before{background-image:url("${escapeHtmlRaw(
+                img
+              )}");}</style>"""
            )
          },
          fontPreload,