prevent xss attacks by manipulating image file names

author Bjoern Schiessle <schiessle@owncloud.com>

Mon, 4 Jun 2012 14:22:25 +0000 (16:22 +0200)

committer Bjoern Schiessle <schiessle@owncloud.com>

Mon, 4 Jun 2012 14:22:25 +0000 (16:22 +0200)
author Bjoern Schiessle <schiessle@owncloud.com>
Mon, 4 Jun 2012 14:22:25 +0000 (16:22 +0200)
committer Bjoern Schiessle <schiessle@owncloud.com>
Mon, 4 Jun 2012 14:22:25 +0000 (16:22 +0200)
diff --git a/apps/files_imageviewer/js/lightbox.js b/apps/files_imageviewer/js/lightbox.js

index fe8b9753095c54b984e677bb235fe95e300666f7..7a7fb663857b4823bdf4e260ca72d16557d20dde 100644 (file)
--- a/apps/files_imageviewer/js/lightbox.js
+++ b/apps/files_imageviewer/js/lightbox.js
@@ -25,7 +25,7 @@ function viewImage(dir, file) {
         var location=OC.filePath('files','ajax','download.php')+'?files='+file+'&dir='+dir;
         $.fancybox({
                 "href": location,
-               "title": file,
+               "title": file.replace(/</, "&lt;").replace(/>/, "&gt;"),
                 "titlePosition": "inside"
         });
  }
author	Bjoern Schiessle <schiessle@owncloud.com>
	Mon, 4 Jun 2012 14:22:25 +0000 (16:22 +0200)
committer	Bjoern Schiessle <schiessle@owncloud.com>
	Mon, 4 Jun 2012 14:22:25 +0000 (16:22 +0200)