diff options
| author | Max Fichtelmann <max.fichtelmann@procilon.de> | 2019-07-29 17:44:01 +0200 |
|---|---|---|
| committer | Max Fichtelmann <max.fichtelmann@procilon.de> | 2019-07-29 18:16:37 +0200 |
| commit | 1d29636008957ea39f9be06d38bb5998f699e798 (patch) | |
| tree | 69c59e4e64132384b938a3e4194b95e23d5086ed | |
| parent | e21f4409909ae13f1a6f4f0328eb2ab4fa85b16b (diff) | |
| download | nextcloud-server-1d29636008957ea39f9be06d38bb5998f699e798.tar.gz nextcloud-server-1d29636008957ea39f9be06d38bb5998f699e798.zip | |
fix XSS when adding a file with a malicious name to favorites
Signed-off-by: Max Fichtelmann <max.fichtelmann@procilon.de>
| -rw-r--r-- | apps/files/js/tagsplugin.js | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/files/js/tagsplugin.js b/apps/files/js/tagsplugin.js index 008fe752b6b..572a399063e 100644 --- a/apps/files/js/tagsplugin.js +++ b/apps/files/js/tagsplugin.js @@ -103,7 +103,7 @@ var innerTagA = document.createElement('A'); innerTagA.setAttribute("href", url); innerTagA.setAttribute("class", "nav-icon-files svg"); - innerTagA.innerHTML = appName; + innerTagA.innerHTML = _.escape(appName); var length = listLIElements.length + 1; var innerTagLI = document.createElement('li'); |