diff options
author | Lukas Reschke <lukas@statuscode.ch> | 2013-02-14 10:50:46 -0800 |
---|---|---|
committer | Lukas Reschke <lukas@statuscode.ch> | 2013-02-14 10:50:46 -0800 |
commit | 5624f1b838575fc26d45d97e7aa6ea2f58bf29e3 (patch) | |
tree | 6f232b0bd32c93a9423f8b1d79073be4848f2558 /settings/js | |
parent | 7f1b8274a895972b9e850e90b56797c42adae30e (diff) | |
parent | c7094197bfe4b6702397e147847ef9cfd8d21b63 (diff) | |
download | nextcloud-server-5624f1b838575fc26d45d97e7aa6ea2f58bf29e3.tar.gz nextcloud-server-5624f1b838575fc26d45d97e7aa6ea2f58bf29e3.zip |
Merge pull request #1701 from owncloud/XSS-fixes
Sanitize HTML
Diffstat (limited to 'settings/js')
-rw-r--r-- | settings/js/users.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/settings/js/users.js b/settings/js/users.js index da18b4be836..086b0884a3b 100644 --- a/settings/js/users.js +++ b/settings/js/users.js @@ -308,7 +308,7 @@ $(document).ready(function () { event.stopPropagation(); var img = $(this); var uid = img.parent().parent().attr('data-uid'); - var displayName = img.parent().parent().attr('data-displayName'); + var displayName = escapeHTML(img.parent().parent().attr('data-displayName')); var input = $('<input type="text" value="' + displayName + '">'); img.css('display', 'none'); img.parent().children('span').replaceWith(input); @@ -329,7 +329,7 @@ $(document).ready(function () { } }); input.blur(function () { - $(this).replaceWith($(this).val()); + $(this).replaceWith(escapeHTML($(this).val())); img.css('display', ''); }); }); |