From: Šarūnas Nejus https://github.com/snejus
Date: Sat, 9 May 2026 08:04:44 +0200
Subject: Fix XSS by using escaped template tags in web UI

Bug: https://github.com/beetbox/beets/security/advisories/GHSA-3gxm-wfjx-m847
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135779
Origin: backport, https://github.com/beetbox/beets/commit/75f0d8f4899e61afb939adf02dcfb078aed23a6a
Forwarded: not-needed
---
 beetsplug/web/templates/index.html | 28 ++++++++++++++--------------
 1 file changed, 14 insertions(+), 14 deletions(-)

diff --git a/beetsplug/web/templates/index.html b/beetsplug/web/templates/index.html
index 0fdd46d..7b1e43f 100644
--- a/beetsplug/web/templates/index.html
+++ b/beetsplug/web/templates/index.html
@@ -45,16 +45,16 @@
 
         <!-- Templates. -->
         <script type="text/template" id="item-entry-template">
-            <%= title %>
+            <%- title %>
             <span class="playing">&#9654;</span>
         </script>
         <script type="text/template" id="item-main-detail-template">
-            <span class="artist"><%= artist %></span>
+            <span class="artist"><%- artist %></span>
             <span class="album">
-                <span class="albumtitle"><%= album %></span>
-                <span class="year">(<%= year %>)</span>
+                <span class="albumtitle"><%- album %></span>
+                <span class="year">(<%- year %>)</span>
             </span>
-            <span class="title"><%= title %></span>
+            <span class="title"><%- title %></span>
 
             <button class="play">&#9654;</button>
 
@@ -63,34 +63,34 @@
         <script type="text/template" id="item-extra-detail-template">
             <dl>
                 <dt>Track</dt>
-                <dd><%= track %>/<%= tracktotal %></dd>
+                <dd><%- track %>/<%- tracktotal %></dd>
                 <% if (disc) { %>
                     <dt>Disc</dt>
-                    <dd><%= disc %>/<%= disctotal %></dd>
+                    <dd><%- disc %>/<%- disctotal %></dd>
                 <% } %>
                 <dt>Length</dt>
-                <dd><%= timeFormat(length) %></dd>
+                <dd><%- timeFormat(length) %></dd>
                 <dt>Format</dt>
-                <dd><%= format %></dd>
+                <dd><%- format %></dd>
                 <dt>Bitrate</dt>
-                <dd><%= Math.round(bitrate/1000) %> kbps</dd>
+                <dd><%- Math.round(bitrate/1000) %> kbps</dd>
                 <% if (mb_trackid) { %>
                     <dt>MusicBrainz entry</dt>
                     <dd>
-                        <a target="_blank" href="http://musicbrainz.org/recording/<%= mb_trackid %>">view</a>
+                        <a target="_blank" href="http://musicbrainz.org/recording/<%- mb_trackid %>">view</a>
                     </dd>
                 <% } %>
                 <dt>File</dt>
                 <dd>
-                    <a target="_blank" class="download" href="item/<%= id %>/file">download</a>
+                    <a target="_blank" class="download" href="item/<%- id %>/file">download</a>
                 </dd>
                 <% if (lyrics) { %>
                     <dt>Lyrics</dt>
-                    <dd class="lyrics"><%= lyrics %></dd>
+                    <dd class="lyrics"><%- lyrics %></dd>
                 <% } %>
                 <% if (comments) { %>
                     <dt>Comments</dt>
-                    <dd><%= comments %></dd>
+                    <dd><%- comments %></dd>
                 <% } %>
             </dl>
         </script>
