Merge pull request #8187 from owncloud/escape-more-character

Also encode > and '

2 files changed, 12 insertions, 1 deletions

diff --git a/core/js/js.js b/core/js/js.js
index cf35d8aac6a..21a2d4c1b35 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -154,7 +154,7 @@ function n(app, text_singular, text_plural, count, vars) {
 * @return {string} Sanitized string
 */
 function escapeHTML(s) {
-	return s.toString().split('&').join('&amp;').split('<').join('&lt;').split('"').join('&quot;');
+	return s.toString().split('&').join('&amp;').split('<').join('&lt;').split('>').join('&gt;').split('"').join('&quot;').split('\'').join('&#039;');
 }
 
 /**
diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js
index 65f768fbc51..233c4d5a0b4 100644
--- a/core/js/tests/specs/coreSpec.js
+++ b/core/js/tests/specs/coreSpec.js
@@ -124,6 +124,17 @@ describe('Core base tests', function() {
 			expect(OC.dirname('/subdir/')).toEqual('/subdir');
 		});
 	});
+	describe('escapeHTML', function() {
+		it('Returns nothing if no string was given', function() {
+			expect(escapeHTML('')).toEqual('');
+		});
+		it('Returns a sanitized string if a string containing HTML is given', function() {
+			expect(escapeHTML('There needs to be a <script>alert(\"Unit\" + \'test\')</script> for it!')).toEqual('There needs to be a &lt;script&gt;alert(&quot;Unit&quot; + &#039;test&#039;)&lt;/script&gt; for it!');
+		});
+		it('Returns the string without modification if no potentially dangerous character is passed.', function() {
+			expect(escapeHTML('This is a good string without HTML.')).toEqual('This is a good string without HTML.');
+		});
+	});
 	describe('Link functions', function() {
 		var TESTAPP = 'testapp';
 		var TESTAPP_ROOT = OC.webroot + '/appsx/testapp';