diff options
| author | Roeland Jago Douma <rullzer@users.noreply.github.com> | 2019-07-30 09:51:45 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2019-07-30 09:51:45 +0200 |
| commit | 53330ce1fc07029f1f5af2e7036bcae651dabf6b (patch) | |
| tree | 126415a4c79d1d08d714c7ccd2b737123cc8ed10 | |
| parent | a3bf8ac339f390a8a0331875d1b72e2e88f2e939 (diff) | |
| parent | 4977f235f60a4ae4257f79b7d96d3cf109850072 (diff) | |
| download | nextcloud-server-53330ce1fc07029f1f5af2e7036bcae651dabf6b.tar.gz nextcloud-server-53330ce1fc07029f1f5af2e7036bcae651dabf6b.zip | |
Merge pull request #16599 from nextcloud/fix/xss/on-favorite-file
Fix/xss/on favorite file
| -rw-r--r-- | apps/files/js/tagsplugin.js | 2 | ||||
| -rw-r--r-- | apps/theming/js/3rdparty/jscolor/jscolor.js | 2 |
2 files changed, 2 insertions, 2 deletions
diff --git a/apps/files/js/tagsplugin.js b/apps/files/js/tagsplugin.js index 008fe752b6b..572a399063e 100644 --- a/apps/files/js/tagsplugin.js +++ b/apps/files/js/tagsplugin.js @@ -103,7 +103,7 @@ var innerTagA = document.createElement('A'); innerTagA.setAttribute("href", url); innerTagA.setAttribute("class", "nav-icon-files svg"); - innerTagA.innerHTML = appName; + innerTagA.innerHTML = _.escape(appName); var length = listLIElements.length + 1; var innerTagLI = document.createElement('li'); diff --git a/apps/theming/js/3rdparty/jscolor/jscolor.js b/apps/theming/js/3rdparty/jscolor/jscolor.js index 2bdd4607b41..cad36eab92a 100644 --- a/apps/theming/js/3rdparty/jscolor/jscolor.js +++ b/apps/theming/js/3rdparty/jscolor/jscolor.js @@ -1100,7 +1100,7 @@ var jsc = { if (jsc.isElementType(this.valueElement, 'input')) { this.valueElement.value = value; } else { - this.valueElement.innerHTML = value; + this.valueElement.innerHTML = _.escape(value); } } if (!(flags & jsc.leaveStyle)) { |