prevent xss attacks by manipulating image file names

author: Bjoern Schiessle <schiessle@owncloud.com> 2012-06-04 16:22:25 +0200
committer: Bjoern Schiessle <schiessle@owncloud.com> 2012-06-04 16:22:25 +0200
commit: f291a843bf1258a71943aca824c281540c636c1c (patch)
tree: 48f608a5024b739067009c98c85490e064d2a62a
parent: 1d6ca084a6f5414ae3bb0753500ad386c86d087c (diff)
download: nextcloud-server-f291a843bf1258a71943aca824c281540c636c1c.tar.gz
nextcloud-server-f291a843bf1258a71943aca824c281540c636c1c.zip
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/files_imageviewer/js/lightbox.js b/apps/files_imageviewer/js/lightbox.js
index fe8b9753095..7a7fb663857 100644
--- a/apps/files_imageviewer/js/lightbox.js
+++ b/apps/files_imageviewer/js/lightbox.js
@@ -25,7 +25,7 @@ function viewImage(dir, file) {
 	var location=OC.filePath('files','ajax','download.php')+'?files='+file+'&dir='+dir;
 	$.fancybox({
 		"href": location,
-		"title": file,
+		"title": file.replace(/</, "&lt;").replace(/>/, "&gt;"),
 		"titlePosition": "inside"
 	});
 }
author	Bjoern Schiessle <schiessle@owncloud.com>	2012-06-04 16:22:25 +0200
committer	Bjoern Schiessle <schiessle@owncloud.com>	2012-06-04 16:22:25 +0200
commit	f291a843bf1258a71943aca824c281540c636c1c (patch)
tree	48f608a5024b739067009c98c85490e064d2a62a
parent	1d6ca084a6f5414ae3bb0753500ad386c86d087c (diff)
download	nextcloud-server-f291a843bf1258a71943aca824c281540c636c1c.tar.gz nextcloud-server-f291a843bf1258a71943aca824c281540c636c1c.zip