2 files changed, 28 insertions, 8 deletions

diff --git a/server/controllers/client.ts b/server/controllers/client.ts
index e3c962058..6a2ac4aab 100644
--- a/server/controllers/client.ts
+++ b/server/controllers/client.ts
@@ -10,7 +10,7 @@ import {
   STATIC_MAX_AGE,
   OPENGRAPH_AND_OEMBED_COMMENT
 } from '../initializers'
-import { root, readFileBufferPromise } from '../helpers'
+import { root, readFileBufferPromise, escapeHTML } from '../helpers'
 import { VideoInstance } from '../models'
 
 const clientsRouter = express.Router()
@@ -47,21 +47,24 @@ function addOpenGraphAndOEmbedTags (htmlStringPage: string, video: VideoInstance
   const previewUrl = CONFIG.WEBSERVER.URL + STATIC_PATHS.PREVIEWS + video.getPreviewName()
   const videoUrl = CONFIG.WEBSERVER.URL + '/videos/watch/' + video.uuid
 
+  const videoName = escapeHTML(video.name)
+  const videoDescription = escapeHTML(video.description)
+
   const openGraphMetaTags = {
     'og:type': 'video',
-    'og:title': video.name,
+    'og:title': videoName,
     'og:image': previewUrl,
     'og:url': videoUrl,
-    'og:description': video.description,
+    'og:description': videoDescription,
 
-    'name': video.name,
-    'description': video.description,
+    'name': videoName,
+    'description': videoDescription,
     'image': previewUrl,
 
     'twitter:card': 'summary_large_image',
     'twitter:site': '@Chocobozzz',
-    'twitter:title': video.name,
-    'twitter:description': video.description,
+    'twitter:title': videoName,
+    'twitter:description': videoDescription,
     'twitter:image': previewUrl
   }
 
@@ -69,7 +72,7 @@ function addOpenGraphAndOEmbedTags (htmlStringPage: string, video: VideoInstance
     {
       type: 'application/json+oembed',
       href: CONFIG.WEBSERVER.URL + '/services/oembed?url=' + encodeURIComponent(videoUrl),
-      title: video.name
+      title: videoName
     }
   ]
 
diff --git a/server/helpers/core-utils.ts b/server/helpers/core-utils.ts
index 3118dc500..33bbdca8b 100644
--- a/server/helpers/core-utils.ts
+++ b/server/helpers/core-utils.ts
@@ -38,6 +38,22 @@ function root () {
   return join.apply(null, paths)
 }
 
+// Thanks: https://stackoverflow.com/a/12034334
+function escapeHTML (stringParam) {
+  const entityMap = {
+    '&': '&',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#39;',
+    '/': '&#x2F;',
+    '`': '&#x60;',
+    '=': '&#x3D;'
+  }
+
+  return String(stringParam).replace(/[&<>"'`=\/]/g, s => entityMap[s])
+}
+
 function promisify0<A> (func: (cb: (err: any, result: A) => void) => void): () => Promise<A> {
   return function promisified (): Promise<A> {
     return new Promise<A>((resolve: (arg: A) => void, reject: (err: any) => void) => {
@@ -101,6 +117,7 @@ const statPromise = promisify1<string, Stats>(stat)
 export {
   isTestInstance,
   root,
+  escapeHTML,
 
   promisify0,
   promisify1,