diff options
| author | Lukas Reschke <lukas@statuscode.ch> | 2012-10-12 14:02:19 +0200 |
|---|---|---|
| committer | Lukas Reschke <lukas@statuscode.ch> | 2012-10-12 14:10:05 +0200 |
| commit | e5f2d46c6f7329309ec9a6048acdb3f36bcd9a21 (patch) | |
| tree | 9420fef89b116f364956c86a814bc89609e5fc48 /apps | |
| parent | e45f36c2d4161f59f9a87cc9b9c884e4600f42a8 (diff) | |
| download | nextcloud-server-e5f2d46c6f7329309ec9a6048acdb3f36bcd9a21.tar.gz nextcloud-server-e5f2d46c6f7329309ec9a6048acdb3f36bcd9a21.zip | |
Sanitize user input
Diffstat (limited to 'apps')
| -rw-r--r-- | apps/files/js/filelist.js | 12 |
1 files changed, 6 insertions, 6 deletions
diff --git a/apps/files/js/filelist.js b/apps/files/js/filelist.js index de733579072..100a2368722 100644 --- a/apps/files/js/filelist.js +++ b/apps/files/js/filelist.js @@ -15,9 +15,9 @@ var FileList={ extension=false; } html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />'; - html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+name+'"><span class="nametext">'+basename; + html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename); if(extension){ - html+='<span class="extension">'+extension+'</span>'; + html+='<span class="extension">'+escapeHTML(extension)+'</span>'; } html+='</span></a></td>'; if(size!='Pending'){ @@ -189,9 +189,9 @@ var FileList={ checkName:function(oldName, newName, isNewFile) { if (isNewFile || $('tr').filterAttr('data-file', newName).length > 0) { if (isNewFile) { - $('#notification').html(newName+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="suggest">'+t('files', 'suggest name')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>'); + $('#notification').html(escapeHTML(newName)+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="suggest">'+t('files', 'suggest name')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>'); } else { - $('#notification').html(newName+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>'); + $('#notification').html(escapeHTML(newName)+' '+t('files', 'already exists')+'<span class="replace">'+t('files', 'replace')+'</span><span class="cancel">'+t('files', 'cancel')+'</span>'); } $('#notification').data('oldName', oldName); $('#notification').data('newName', newName); @@ -272,9 +272,9 @@ var FileList={ } else { // NOTE: Temporary fix to change the text to unshared for files in root of Shared folder if ($('#dir').val() == '/Shared') { - $('#notification').html(t('files', 'unshared')+' '+files+'<span class="undo">'+t('files', 'undo')+'</span>'); + $('#notification').html(t('files', 'unshared')+' '+ escapeHTML(files) +'<span class="undo">'+t('files', 'undo')+'</span>'); } else { - $('#notification').html(t('files', 'deleted')+' '+files+'<span class="undo">'+t('files', 'undo')+'</span>'); + $('#notification').html(t('files', 'deleted')+' '+ escapeHTML(files)+'<span class="undo">'+t('files', 'undo')+'</span>'); } $('#notification').fadeIn(); } |