From 752a316a523f7e0229e2695124f764320b362d0c Mon Sep 17 00:00:00 2001
From: Thomas Tanghus <thomas@tanghus.net>
Date: Wed, 15 May 2013 01:31:53 +0200
Subject: [PATCH] Escape file names and types in filepicker.

---
 core/js/oc-dialogs.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/core/js/oc-dialogs.js b/core/js/oc-dialogs.js
index cfbca2833c7..3c288c6d13f 100644
--- a/core/js/oc-dialogs.js
+++ b/core/js/oc-dialogs.js
@@ -219,7 +219,7 @@ var OCdialogs = {
 		var entry_template = '<div data-entryname="*ENTRYNAME*" data-dcid="'+dialog_content_id+'" data="*ENTRYTYPE*"><img src="*MIMETYPEICON*" style="margin-right:1em;"><span class="filename">*NAME*</span><div style="float:right;margin-right:1em;">*LASTMODDATE*</div></div>';
 		var names = '';
 		$.each(r.data, function(index, a) {
-			names += entry_template.replace('*LASTMODDATE*', OC.mtime2date(a.mtime)).replace('*NAME*', a.name).replace('*MIMETYPEICON*', a.mimetype_icon).replace('*ENTRYNAME*', a.name).replace('*ENTRYTYPE*', a.type);
+			names += entry_template.replace('*LASTMODDATE*', OC.mtime2date(a.mtime)).replace('*NAME*', escapeHTML(a.name)).replace('*MIMETYPEICON*', a.mimetype_icon).replace('*ENTRYNAME*', escapeHTML(a.name)).replace('*ENTRYTYPE*', escapeHTML(a.type));
 		});
 		
 		$(dialog_content_id + ' #filelist').html(names).on('click', '[data="file"]', function() {
-- 
2.39.5