summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorMorris Jobke <hey@morrisjobke.de>2014-06-02 10:59:47 +0200
committerMorris Jobke <hey@morrisjobke.de>2014-06-02 10:59:47 +0200
commit27c8c87e94ed0b4c2d7e77030b85f6f18b1bd0ad (patch)
tree163d5238dfa0b19f3b85fc30177d378756d88e2d
parentd39216c5e76b32c496ff39c19bddfbc4fa4247ac (diff)
parent603b6c13b4a187766b33b49c7923399e78e18295 (diff)
downloadnextcloud-server-27c8c87e94ed0b4c2d7e77030b85f6f18b1bd0ad.tar.gz
nextcloud-server-27c8c87e94ed0b4c2d7e77030b85f6f18b1bd0ad.zip
Merge pull request #8187 from owncloud/escape-more-character
Also encode > and '
-rw-r--r--core/js/js.js2
-rw-r--r--core/js/tests/specs/coreSpec.js11
2 files changed, 12 insertions, 1 deletions
diff --git a/core/js/js.js b/core/js/js.js
index cf35d8aac6a..21a2d4c1b35 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -154,7 +154,7 @@ function n(app, text_singular, text_plural, count, vars) {
* @return {string} Sanitized string
*/
function escapeHTML(s) {
- return s.toString().split('&').join('&amp;').split('<').join('&lt;').split('"').join('&quot;');
+ return s.toString().split('&').join('&amp;').split('<').join('&lt;').split('>').join('&gt;').split('"').join('&quot;').split('\'').join('&#039;');
}
/**
diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js
index 65f768fbc51..233c4d5a0b4 100644
--- a/core/js/tests/specs/coreSpec.js
+++ b/core/js/tests/specs/coreSpec.js
@@ -124,6 +124,17 @@ describe('Core base tests', function() {
expect(OC.dirname('/subdir/')).toEqual('/subdir');
});
});
+ describe('escapeHTML', function() {
+ it('Returns nothing if no string was given', function() {
+ expect(escapeHTML('')).toEqual('');
+ });
+ it('Returns a sanitized string if a string containing HTML is given', function() {
+ expect(escapeHTML('There needs to be a <script>alert(\"Unit\" + \'test\')</script> for it!')).toEqual('There needs to be a &lt;script&gt;alert(&quot;Unit&quot; + &#039;test&#039;)&lt;/script&gt; for it!');
+ });
+ it('Returns the string without modification if no potentially dangerous character is passed.', function() {
+ expect(escapeHTML('This is a good string without HTML.')).toEqual('This is a good string without HTML.');
+ });
+ });
describe('Link functions', function() {
var TESTAPP = 'testapp';
var TESTAPP_ROOT = OC.webroot + '/appsx/testapp';