xss vulnerabilities fixed

author Bjoern Schiessle <schiessle@owncloud.com>

Fri, 22 Jun 2012 12:11:57 +0000 (14:11 +0200)

committer Bjoern Schiessle <schiessle@owncloud.com>

Fri, 22 Jun 2012 12:11:57 +0000 (14:11 +0200)
author Bjoern Schiessle <schiessle@owncloud.com>
Fri, 22 Jun 2012 12:11:57 +0000 (14:11 +0200)
committer Bjoern Schiessle <schiessle@owncloud.com>
Fri, 22 Jun 2012 12:11:57 +0000 (14:11 +0200)
diff --git a/apps/gallery/lib/tiles.php b/apps/gallery/lib/tiles.php

index 2bc8d4fcce0519a3d6ee502964e7665779499a76..011168471f0f5f06818a4ebe7bb97f28c7f740c9 100644 (file)
--- a/apps/gallery/lib/tiles.php
+++ b/apps/gallery/lib/tiles.php
@@ -168,7 +168,7 @@ class TileStack extends TileBase {
         }
         
         public function getOnClickAction() {
-               return 'javascript:openNewGal(\''.$this->stack_name.'\');';
+               return 'javascript:openNewGal(\''.\OCP\Util::sanitizeHTML($this->stack_name).'\');';
         }
  
         private $tiles_array;
diff --git a/apps/gallery/templates/index.php b/apps/gallery/templates/index.php

index 1890552fc0c1dab88c33f675dbdf58bde4237ee8..037e53059d116bd627dce5fd00fc84c43565fe90 100644 (file)
--- a/apps/gallery/templates/index.php
+++ b/apps/gallery/templates/index.php
@@ -1,6 +1,6 @@
  <script type="text/javascript">
  
-var root = "<?php echo $_['root']; ?>";
+var root = "<?php echo OCP\Util::sanitizeHTML($_['root']); ?>";
  
  $(document).ready(function() {
                 $("a[rel=images]").fancybox({
author	Bjoern Schiessle <schiessle@owncloud.com>
	Fri, 22 Jun 2012 12:11:57 +0000 (14:11 +0200)
committer	Bjoern Schiessle <schiessle@owncloud.com>
	Fri, 22 Jun 2012 12:11:57 +0000 (14:11 +0200)
apps/gallery/lib/tiles.php		patch \| blob \| history
apps/gallery/templates/index.php		patch \| blob \| history