Merge pull request #3075 from owncloud/media_stable4_html

Media: Escape HTML

3 files changed, 27 insertions, 27 deletions

diff --git a/apps/media/js/collection.js b/apps/media/js/collection.js
index 161fc0c6810..74efd3a8fe6 100644
--- a/apps/media/js/collection.js
+++ b/apps/media/js/collection.js
@@ -62,14 +62,14 @@ Collection={
 							Collection.albumsById[song.song_album].songs.push(songData);
 						}
 					}
-					
+
 					Collection.artists.sort(function(a,b){
 						if(!a.name){
 							return -1;
 						}
 						return a.name.localeCompare(b.name);
 					});
-					
+
 					Collection.loaded=true;
 					Collection.loading=false;
 					for(var i=0;i<Collection.loadedListeners.length;i++){
@@ -97,20 +97,20 @@ Collection={
 					if(artist.name && artist.songs.length>0){
 						var tr=template.clone().removeClass('template');
 						if(artist.songs.length>1){
-							tr.find('td.title a').html(artist.songs.length+' '+t('media','songs'));
-							tr.find('td.album a').html(artist.albums.length+' '+t('media','albums'));
+							tr.find('td.title a').text(artist.songs.length+' '+t('media','songs'));
+							tr.find('td.album a').text(artist.albums.length+' '+t('media','albums'));
 						}else{
-							tr.find('td.title a').html(artist.songs[0].name);
-							tr.find('td.album a').html(artist.albums[0].name);
+							tr.find('td.title a').text(artist.songs[0].name);
+							tr.find('td.album a').text(artist.albums[0].name);
 						}
-						tr.find('td.artist a').html(artist.name);
+						tr.find('td.artist a').text(artist.name);
 						tr.data('artistData',artist);
 						tr.find('td.artist a').click(function(event){
 							event.preventDefault();
 							PlayList.add(artist);
 							PlayList.play(0);
 							Collection.parent.find('tr').removeClass('active');
-							$('tr[data-artist="'+artist.name+'"]').addClass('active');
+							$('tr[data-artist="'+escapeHTML(artist.name)+'"]').addClass('active');
 						});
 						var expander='';
 						if(artist.songs.length>1){
@@ -158,7 +158,7 @@ Collection={
 						PlayList.add(album);
 						PlayList.play(0);
 						Collection.parent.find('tr').removeClass('active');
-						$('tr[data-album="'+album.name+'"]').addClass('active');
+						$('tr[data-album="'+escapeHTML(album.name)+'"]').addClass('active');
 					});
 					if(album.songs.length>1){
 						var expander=$('<a class="expander">v </a>');
@@ -184,12 +184,12 @@ Collection={
 					PlayList.add(song);
 					PlayList.play(0);
 					Collection.parent.find('tr').removeClass('active');
-					$('tr[data-title="'+song.name+'"]').addClass('active');
+					$('tr[data-title="'+escapeHTML(song.name)+'"]').addClass('active');
 				});
-				newRow.attr('data-album',album.name);
-				newRow.attr('data-title',song.name);
-				newRow.attr('data-artist',artist.name);
-				newRow.data('albumData',album);
+				newRow.attr('data-album', escapeHTML(album.name));
+				newRow.attr('data-title', escapeHTML(song.name));
+				newRow.attr('data-artist', escapeHTML(artist.name));
+				newRow.data('albumData', escapeHTML(album));
 				if(!first){
 					lastRow.after(newRow);
 				}
@@ -203,7 +203,7 @@ Collection={
 		tr.find('td.artist-expander a.expander').text('v');
 	},
 	hideArtist:function(artist){
-		var tr=Collection.parent.find('tr[data-artist="'+artist+'"]');
+		var tr=Collection.parent.find('tr[data-artist="'+escapeHTML(artist)+'"]');
 		var artist=tr.first().data('artistData');
 		tr.first().find('td.album a').first().text(artist.albums.length+' '+t('media','albums'));
 		tr.first().find('td.album-expander a.expander').remove();
@@ -218,10 +218,10 @@ Collection={
 		tr.find('td.artist-expander a.expander').data('expanded',false);
 		tr.find('td.artist-expander a.expander').removeClass('expanded');
 		tr.find('td.artist-expander a.expander').text('>');
-		Collection.addButtons(tr,artist);
+		Collection.addButtons(tr, escapeHTML(artist));
 	},
 	showAlbum:function(artist,album){
-		var tr = Collection.parent.find('tr[data-artist="'+artist+'"][data-album="'+album+'"]');
+		var tr = Collection.parent.find('tr[data-artist="'+escapeHTML(artist)+'"][data-album="'+escapeHTML(album)+'"]');
 		var lastRow=tr;
 		var albumData=tr.data('albumData');
 		tr.find('td.album-expander a.expander').data('expanded',true);
@@ -243,7 +243,7 @@ Collection={
 				PlayList.add(song);
 				PlayList.play(0);
 				Collection.parent.find('tr').removeClass('active');
-				$('tr[data-title="'+song.name+'"]').addClass('active');
+				$('tr[data-title="'+escapeHTML(song.name)+'"]').addClass('active');
 			});
 			if(i>0){
 				lastRow.after(newRow);
@@ -252,7 +252,7 @@ Collection={
 		});
 	},
 	hideAlbum:function(artist,album){
-		var tr = Collection.parent.find('tr[data-artist="'+artist+'"][data-album="'+album+'"]');
+		var tr = Collection.parent.find('tr[data-artist="'+escapeHTML(artist)+'"][data-album="'+escapeHTML(album)+'"]');
 		var albumData=tr.data('albumData');
 		tr.first().find('td.title a').text(albumData.songs.length+' '+t('media','songs'));
 		tr.find('td.album-expander a.expander').data('expanded',false);
@@ -365,4 +365,4 @@ $(document).ready(function(){
 		});
 		Scanner.scanCollection();
 	});
-});
+});
\ No newline at end of file
diff --git a/apps/media/js/player.js b/apps/media/js/player.js
index ad406830833..8fd7809d0e0 100644
--- a/apps/media/js/player.js
+++ b/apps/media/js/player.js
@@ -53,8 +53,8 @@ var PlayList={
 					}else{
 						var next=0;
 					}
-					$('.jp-next').attr('title',items[next].name);
-					$('.jp-previous').attr('title',items[previous].name);
+					$('.jp-next').attr('title',escapeHTML(items[next].name));
+					$('.jp-previous').attr('title',escapeHTML(items[previous].name));
 					if (typeof Collection !== 'undefined') {
 						Collection.registerPlay();
 					}
@@ -96,7 +96,7 @@ var PlayList={
 			},
 			play:function(event){
 				OC.localStorage.setItem('playlist_playing',true);
-				document.title = "\u25b8 " + event.jPlayer.status.media.name + " - " + event.jPlayer.status.media.artist + " - ownCloud";
+				document.title = "\u25b8 " + escapeHTML(event.jPlayer.status.media.name) + " - " + escapeHTML(event.jPlayer.status.media.artist) + " - ownCloud";
 			},
 			supplied:type,
 			ready:function(){
@@ -211,4 +211,4 @@ $(document).ready(function(){
 
 	$('jp-previous').tipsy({gravity:'n', fade:true, live:true});
 	$('jp-next').tipsy({gravity:'n', fade:true, live:true});
-})
+})
\ No newline at end of file
diff --git a/apps/media/js/playlist.js b/apps/media/js/playlist.js
index 8e9e2a91537..68fe0b3033b 100644
--- a/apps/media/js/playlist.js
+++ b/apps/media/js/playlist.js
@@ -14,8 +14,8 @@ PlayList.render=function(){
 		var item=PlayList.items[i];
 		var li=$('<li/>');
 		li.attr('class', 'jp-playlist-' + i);
-		li.attr('title', item.artist + ' - ' + item.name + '<br/>(' + item.album + ')');
-		var div = $('<div class="label">' + item.name + '</div>');
+		li.attr('title', escapeHTML(item.artist) + ' - ' + escapeHTML(item.name) + '<br/>(' + escapeHTML(item.album) + ')');
+		var div = $('<div class="label">' + escapeHTML(item.name) + '</div>');
 		li.append(div);
 		$('.jp-playlist-' + i).tipsy({gravity:'w', fade:true, live:true, html:true});
 		var img=$('<img class="remove svg action" src="'+OC.imagePath('core','actions/delete')+'"/>');
@@ -54,4 +54,4 @@ $(document).ready(function(){
 			$('#leftcontent li.song input:checkbox').parent().removeClass('selected');
 		}
 	});
-});
+});
\ No newline at end of file