diff options
| -rw-r--r-- | core/js/js.js | 2 | ||||
| -rw-r--r-- | core/js/tests/specs/coreSpec.js | 11 |
2 files changed, 12 insertions, 1 deletions
diff --git a/core/js/js.js b/core/js/js.js index cf35d8aac6a..21a2d4c1b35 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -154,7 +154,7 @@ function n(app, text_singular, text_plural, count, vars) { * @return {string} Sanitized string */ function escapeHTML(s) { - return s.toString().split('&').join('&').split('<').join('<').split('"').join('"'); + return s.toString().split('&').join('&').split('<').join('<').split('>').join('>').split('"').join('"').split('\'').join('''); } /** diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js index 65f768fbc51..233c4d5a0b4 100644 --- a/core/js/tests/specs/coreSpec.js +++ b/core/js/tests/specs/coreSpec.js @@ -124,6 +124,17 @@ describe('Core base tests', function() { expect(OC.dirname('/subdir/')).toEqual('/subdir'); }); }); + describe('escapeHTML', function() { + it('Returns nothing if no string was given', function() { + expect(escapeHTML('')).toEqual(''); + }); + it('Returns a sanitized string if a string containing HTML is given', function() { + expect(escapeHTML('There needs to be a <script>alert(\"Unit\" + \'test\')</script> for it!')).toEqual('There needs to be a <script>alert("Unit" + 'test')</script> for it!'); + }); + it('Returns the string without modification if no potentially dangerous character is passed.', function() { + expect(escapeHTML('This is a good string without HTML.')).toEqual('This is a good string without HTML.'); + }); + }); describe('Link functions', function() { var TESTAPP = 'testapp'; var TESTAPP_ROOT = OC.webroot + '/appsx/testapp'; |