Sanitize user input

author Lukas Reschke <lukas@statuscode.ch>

Fri, 12 Oct 2012 12:02:19 +0000 (14:02 +0200)

committer Lukas Reschke <lukas@statuscode.ch>

Fri, 12 Oct 2012 12:10:05 +0000 (14:10 +0200)
author Lukas Reschke <lukas@statuscode.ch>
Fri, 12 Oct 2012 12:02:19 +0000 (14:02 +0200)
committer Lukas Reschke <lukas@statuscode.ch>
Fri, 12 Oct 2012 12:10:05 +0000 (14:10 +0200)
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js

index de73357907268cb288a1059f240a4e37dd0942f3..100a236872242e88d8db3f31a5ef9e306838088e 100644 (file)
--- a/apps/files/js/filelist.js
+++ b/apps/files/js/filelist.js
@@ -15,9 +15,9 @@ var FileList={
                         extension=false;
                 }
                 html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
-               html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '&lt;').replace(/>/, '&gt;')+'/'+name+'"><span class="nametext">'+basename;
+               html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '&lt;').replace(/>/, '&gt;')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
                 if(extension){
-                       html+='<span class="extension">'+extension+'</span>';
+                       html+='<span class="extension">'+escapeHTML(extension)+'</span>';
                 }
                 html+='</span></a></td>';
                 if(size!='Pending'){
@@ -189,9 +189,9 @@ var FileList={
         checkName:function(oldName, newName, isNewFile) {
                 if (isNewFile || $('tr').filterAttr('data-file', newName).length > 0) {
                         if (isNewFile) {
-                               $('#notification').html(newName+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="suggest">'+t('files', 'suggest name')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>');
+                               $('#notification').html(escapeHTML(newName)+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="suggest">'+t('files', 'suggest name')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>');
                         } else {
-                               $('#notification').html(newName+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>');
+                               $('#notification').html(escapeHTML(newName)+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>');
                         }
                         $('#notification').data('oldName', oldName);
                         $('#notification').data('newName', newName);
@@ -272,9 +272,9 @@ var FileList={
                 } else {
                         // NOTE: Temporary fix to change the text to unshared for files in root of Shared folder
                         if ($('#dir').val() == '/Shared') {
-                               $('#notification').html(t('files', 'unshared')+' '+files+'<span class="undo">'+t('files', 'undo')+'</span>');
+                               $('#notification').html(t('files', 'unshared')+' '+ escapeHTML(files) +'<span class="undo">'+t('files', 'undo')+'</span>');
                         } else {
-                               $('#notification').html(t('files', 'deleted')+' '+files+'<span class="undo">'+t('files', 'undo')+'</span>');
+                               $('#notification').html(t('files', 'deleted')+' '+ escapeHTML(files)+'<span class="undo">'+t('files', 'undo')+'</span>');
                         }
                         $('#notification').fadeIn();
                 }
author	Lukas Reschke <lukas@statuscode.ch>
	Fri, 12 Oct 2012 12:02:19 +0000 (14:02 +0200)
committer	Lukas Reschke <lukas@statuscode.ch>
	Fri, 12 Oct 2012 12:10:05 +0000 (14:10 +0200)