From 3d4a4cd960c10144c994c487426720aad10179a9 Mon Sep 17 00:00:00 2001
From: Rafael <rafael.saes@odysee.com>
Date: Mon, 31 Jan 2022 15:29:43 -0300
Subject: [PATCH] Add escapeHtmlProperty on url params

---
 ui/util/web.js | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/ui/util/web.js b/ui/util/web.js
index 7947d2bca..8b601ccc2 100644
--- a/ui/util/web.js
+++ b/ui/util/web.js
@@ -13,16 +13,16 @@ function generateEmbedUrl(claimName, claimId, startTime, referralLink) {
   let urlParams = new URLSearchParams();
 
   if (startTime) {
-    urlParams.append('t', startTime);
+    urlParams.append('t', escapeHtmlProperty(startTime));
   }
 
   if (referralLink) {
-    urlParams.append('r', referralLink);
+    urlParams.append('r', escapeHtmlProperty(referralLink));
   }
 
   const encodedUriName = encodeURIComponent(claimName).replace(/'/g, '%27').replace(/\(/g, '%28').replace(/\)/g, '%29');
 
-  const embedUrl = `${URL}/$/embed/${encodedUriName}/${claimId}`;
+  const embedUrl = `${URL}/$/embed/${escapeHtmlProperty(encodedUriName)}/${escapeHtmlProperty(claimId)}`;
   const embedUrlParams = urlParams.toString() ? `?${urlParams.toString()}` : '';
 
   return `${embedUrl}${embedUrlParams}`;