From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Mon, 4 Jun 2012 14:20:03 +0000 (+0200)
Subject: prevent xss attacks by manipulating text file names
X-Git-Tag: v4.5.0beta1~74^2~424^2~35
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=1d6ca084a6f5414ae3bb0753500ad386c86d087c;p=nextcloud-server.git

prevent xss attacks by manipulating text file names
---

diff --git a/apps/files_texteditor/js/editor.js b/apps/files_texteditor/js/editor.js
index 9d168c1c4f6..70bb74a9101 100644
--- a/apps/files_texteditor/js/editor.js
+++ b/apps/files_texteditor/js/editor.js
@@ -67,7 +67,7 @@ function setSyntaxMode(ext){
 function showControls(filename,writeperms){
 	// Loads the control bar at the top.
 	// Load the new toolbar.
-	var editorbarhtml = '<div id="editorcontrols" style="display: none;"><div class="crumb svg last" id="breadcrumb_file" style="background-image:url(&quot;'+OC.imagePath('core','breadcrumb.png')+'&quot;)"><p>'+filename+'</p></div>';
+	var editorbarhtml = '<div id="editorcontrols" style="display: none;"><div class="crumb svg last" id="breadcrumb_file" style="background-image:url(&quot;'+OC.imagePath('core','breadcrumb.png')+'&quot;)"><p>'+filename.replace(/</, "&lt;").replace(/>/, "&gt;")+'</p></div>';
 	if(writeperms=="true"){
 		editorbarhtml += '<button id="editor_save">'+t('files_texteditor','Save')+'</button><div class="separator"></div>';
 	}