Escape 'sort_by'

2020-03-10 11:25:32 -04:00
parent 1443335315
commit f92027c44b
2 changed files with 3 additions and 3 deletions
--- a/src/invidious/views/playlists.ecr
+++ b/src/invidious/views/playlists.ecr
@@ -90,7 +90,7 @@
    <div class="pure-u-1 pure-u-md-4-5"></div>
    <div class="pure-u-1 pure-u-lg-1-5" style="text-align:right">
        <% if continuation %>
-            <a href="/channel/<%= channel.ucid %>/playlists?continuation=<%= continuation %><% if sort_by != "last" %>&sort_by=<%= sort_by %><% end %>">
+            <a href="/channel/<%= channel.ucid %>/playlists?continuation=<%= continuation %><% if sort_by != "last" %>&sort_by=<%= HTML.escape(sort_by) %><% end %>">
                <%= translate(locale, "Next page") %>
            </a>
        <% end %>