From d255499e83aaa2bc0eac7f8b34af708796e6f47a Mon Sep 17 00:00:00 2001
From: xiaomlove <1939737565@qq.com>
Date: Mon, 15 Dec 2025 19:35:37 +0700
Subject: [PATCH] fix media info xss

---
 include/globalfunctions.php |  8 ++++++++
 public/details.php          | 11 +++++------
 2 files changed, 13 insertions(+), 6 deletions(-)

diff --git a/include/globalfunctions.php b/include/globalfunctions.php
index 8b2e2b52..5e45b8ae 100644
--- a/include/globalfunctions.php
+++ b/include/globalfunctions.php
@@ -1673,3 +1673,11 @@ JS;
     \Nexus\Nexus::js("js/crypto-js.js", 'footer', true);
     \Nexus\Nexus::js($js, 'footer', false);
 }
+
+function nexus_escape($data): array|string
+{
+    if (is_array($data)) {
+        return array_map('nexus_escape', $data);
+    }
+    return htmlspecialchars($data, ENT_QUOTES, 'UTF-8');
+}
diff --git a/public/details.php b/public/details.php
index 0a49e836..7084b49c 100644
--- a/public/details.php
+++ b/public/details.php
@@ -29,7 +29,6 @@ $row = mysql_fetch_array($res);
 if (user_can('torrentmanage') || $CURUSER["id"] == $row["owner"])
 $owned = 1;
 else $owned = 0;
-
 $settingMain = get_setting('main');
 if (!$row) {
     stderr($lang_details['std_error'], $lang_details['std_no_torrent_id']);
@@ -308,20 +307,20 @@ JS;
 
         //technical info
         if ($settingMain['enable_technical_info'] == 'yes') {
-            $technicalData = $row['technical_info'] ?? '';
-            
+            $technicalData = nexus_escape($row['technical_info'] ?? '');
+
             // 判断是否为BDINFO格式
             $isBdInfo = false;
             if (!empty($technicalData)) {
                 $firstLine = strtok($technicalData, "\n");
-                if (strpos($firstLine, 'DISC INFO') !== false 
+                if (strpos($firstLine, 'DISC INFO') !== false
 				|| strpos($firstLine, 'Disc Title') !== false
 				|| strpos($firstLine, 'Disc Label') !== false
 				) {
                     $isBdInfo = true;
                 }
             }
-            
+
             if ($isBdInfo) {
                 // 使用BdInfoExtra处理BDINFO格式
                 $technicalInfo = new \Nexus\Torrent\BdInfoExtra($technicalData);
@@ -329,7 +328,7 @@ JS;
                 // 使用TechnicalInformation处理MediaInfo格式
                 $technicalInfo = new \Nexus\Torrent\TechnicalInformation($technicalData);
             }
-            
+
             $technicalInfoResult = $technicalInfo->renderOnDetailsPage();
             if (!empty($technicalInfoResult)) {
                 tr($lang_functions['text_technical_info'], $technicalInfoResult, 1);