Not escaping directory names leading to XSS risk

[anthonyryan1]

Describe The Bug
Within the #/wizardlibrary.html template page, we are not currently escaping the directory name, and it can lead to XSS problems.

I'm reporting this publicly, rather than to the security email because there's very little risk in my opinion. With the wizard page being used only on new setups, and Jellyfin and the dashboard libraries page being buried in settings. Also Jellyfin mostly being private use, it's a low priority security bug.

Steps To Reproduce

1. Create a new folder with with a maliciously crafted name like "><img src=x onerror=alert("Not escape")>"
2. Start setting up a new Jellyfin instance
3. When you setup up the media libraries, select that suspiciously named folder as your media directory
4. Once you save the folder, you will see an alert when returned to the wizardlibrary.html templatepage.

If you continue through the setup, this same XSS will also occur in #/dashboard/libraries

Expected Behavior
The folder name should be rendered as text, rather than HTML. Using either textContent in javascript, or an escaping function if rendered server side.

Logs
N/A

Screenshots
N/A

System (please complete the following information):

• Platform: All
• Browser: All
• Jellyfin Version: 10.10.3

Additional Context
All credit to Fahimhusain Raydurg, who discovered this issue. I'm just reporting it.