From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Mon, 4 Jun 2012 14:22:25 +0000 (+0200)
Subject: prevent xss attacks by manipulating image file names
X-Git-Tag: v4.5.0beta1~74^2~424^2~34
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=f291a843bf1258a71943aca824c281540c636c1c;p=nextcloud-server.git

prevent xss attacks by manipulating image file names
---

diff --git a/apps/files_imageviewer/js/lightbox.js b/apps/files_imageviewer/js/lightbox.js
index fe8b9753095..7a7fb663857 100644
--- a/apps/files_imageviewer/js/lightbox.js
+++ b/apps/files_imageviewer/js/lightbox.js
@@ -25,7 +25,7 @@ function viewImage(dir, file) {
 	var location=OC.filePath('files','ajax','download.php')+'?files='+file+'&dir='+dir;
 	$.fancybox({
 		"href": location,
-		"title": file,
+		"title": file.replace(/</, "&lt;").replace(/>/, "&gt;"),
 		"titlePosition": "inside"
 	});
 }