summaryrefslogtreecommitdiffstats
path: root/apps/files_texteditor
diff options
context:
space:
mode:
authorBjoern Schiessle <schiessle@owncloud.com>2012-06-04 16:20:03 +0200
committerBjoern Schiessle <schiessle@owncloud.com>2012-06-04 16:20:03 +0200
commit1d6ca084a6f5414ae3bb0753500ad386c86d087c (patch)
tree329caa99ce7023574eadb31cdc1e7dc37dd81b35 /apps/files_texteditor
parent3b9bf83fe7833c2cf8d1d9fc2f0f2a41b2a92ebc (diff)
downloadnextcloud-server-1d6ca084a6f5414ae3bb0753500ad386c86d087c.tar.gz
nextcloud-server-1d6ca084a6f5414ae3bb0753500ad386c86d087c.zip
prevent xss attacks by manipulating text file names
Diffstat (limited to 'apps/files_texteditor')
-rw-r--r--apps/files_texteditor/js/editor.js2
1 files changed, 1 insertions, 1 deletions
diff --git a/apps/files_texteditor/js/editor.js b/apps/files_texteditor/js/editor.js
index 9d168c1c4f6..70bb74a9101 100644
--- a/apps/files_texteditor/js/editor.js
+++ b/apps/files_texteditor/js/editor.js
@@ -67,7 +67,7 @@ function setSyntaxMode(ext){
function showControls(filename,writeperms){
// Loads the control bar at the top.
// Load the new toolbar.
- var editorbarhtml = '<div id="editorcontrols" style="display: none;"><div class="crumb svg last" id="breadcrumb_file" style="background-image:url(&quot;'+OC.imagePath('core','breadcrumb.png')+'&quot;)"><p>'+filename+'</p></div>';
+ var editorbarhtml = '<div id="editorcontrols" style="display: none;"><div class="crumb svg last" id="breadcrumb_file" style="background-image:url(&quot;'+OC.imagePath('core','breadcrumb.png')+'&quot;)"><p>'+filename.replace(/</, "&lt;").replace(/>/, "&gt;")+'</p></div>';
if(writeperms=="true"){
editorbarhtml += '<button id="editor_save">'+t('files_texteditor','Save')+'</button><div class="separator"></div>';
}
generated by cgit v1.2.3 (git 2.39.1) at 2025-01-30 11:53:30 +0000