Merge pull request #20809 from owncloud/dont-trust-update-server-message

Don't trust update server

2 files changed, 4 insertions, 2 deletions

diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index 5e13d9329f3..714525cf87e 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -4,7 +4,7 @@
 <!--[if (gt IE 9)|!(IE)]><!--><html class="ng-csp" data-placeholder-focus="false" lang="<?php p($_['language']); ?>" ><!--<![endif]-->
 	<head data-user="<?php p($_['user_uid']); ?>" data-requesttoken="<?php p($_['requesttoken']); ?>"
 		<?php if ($_['updateAvailable']): ?>
-			data-update-version="<?php print($_['updateVersion']); ?>" data-update-link="<?php print_unescaped($_['updateLink']); ?>"
+			data-update-version="<?php p($_['updateVersion']); ?>" data-update-link="<?php p($_['updateLink']); ?>"
 		<?php endif; ?>
 		>
 		<meta charset="utf-8">
diff --git a/lib/private/templatelayout.php b/lib/private/templatelayout.php
index 7d16823d2a8..f5974128b73 100644
--- a/lib/private/templatelayout.php
+++ b/lib/private/templatelayout.php
@@ -85,7 +85,9 @@ class OC_TemplateLayout extends OC_Template {
 				if(isset($data['version']) && $data['version'] != '' and $data['version'] !== Array()) {
 					$this->assign('updateAvailable', true);
 					$this->assign('updateVersion', $data['versionstring']);
-					$this->assign('updateLink', $data['web']);
+					if(substr($data['web'], 0, 8) === 'https://') {
+						$this->assign('updateLink', $data['web']);
+					}
 					\OCP\Util::addScript('core', 'update-notification');
 				} else {
 					$this->assign('updateAvailable', false); // No update available or not an admin user