5 files changed, 11 insertions, 6 deletions
diff --git a/apps/files_external/js/settings.js b/apps/files_external/js/settings.js
index 172ef097fbf..12690395270 100644
--- a/apps/files_external/js/settings.js
+++ b/apps/files_external/js/settings.js
@@ -47,7 +47,7 @@ OC.MountConfig={
 							oldUsers.splice($.inArray(applicable, oldUsers), 1);
 						}
 					}
-					$.post(OC.filePath('files_external', 'ajax', 'addMountPoint.php'), { mountPoint: mountPoint, class: backendClass, classOptions: classOptions, mountType: mountType, applicable: applicable, isPersonal: isPersonal });
+					$.post(OC.filePath('files_external', 'ajax', 'addMountPoint.php'), { mountPoint: mountPoint, 'class': backendClass, classOptions: classOptions, mountType: mountType, applicable: applicable, isPersonal: isPersonal });
 				});
 				var mountType = 'group';
 				$.each(oldGroups, function(index, applicable) {
@@ -61,7 +61,7 @@ OC.MountConfig={
 				var isPersonal = true;
 				var mountType = 'user';
 				var applicable = OC.currentUser;
-				$.post(OC.filePath('files_external', 'ajax', 'addMountPoint.php'), { mountPoint: mountPoint, class: backendClass, classOptions: classOptions, mountType: mountType, applicable: applicable, isPersonal: isPersonal });
+				$.post(OC.filePath('files_external', 'ajax', 'addMountPoint.php'), { mountPoint: mountPoint, 'class': backendClass, classOptions: classOptions, mountType: mountType, applicable: applicable, isPersonal: isPersonal });
 			}
 			return true;
 		}
diff --git a/core/templates/layout.user.php b/core/templates/layout.user.php
index c8b580b5fd9..38aa31be32b 100644
--- a/core/templates/layout.user.php
+++ b/core/templates/layout.user.php
@@ -31,7 +31,7 @@
 
 			<ul id="settings" class="svg">
 				<span id="expand">
-					<?php echo OCP\User::getDisplayName($user=null)?OCP\User::getDisplayName($user=null):(OC_User::getUser()?OC_User::getUser():'') ?>
+					<?php echo OCP\User::getDisplayName($user=null)?OC_Util::sanitizeHTML(OCP\User::getDisplayName($user=null)):(OC_User::getUser()?OC_User::getUser():'') ?>
 					<img class="svg" src="<?php echo image_path('', 'actions/caret.svg'); ?>" />
 				</span>
 				<div id="expanddiv">
diff --git a/lib/base.php b/lib/base.php
index fd9a1d41121..ff95a87e438 100644
--- a/lib/base.php
+++ b/lib/base.php
@@ -231,6 +231,11 @@ class OC {
 				header("Location: $url");
 				exit();
 			}
+		} else {
+			// Invalidate HSTS headers
+			if (OC_Request::serverProtocol() === 'https') {
+				header('Strict-Transport-Security: max-age=0');
+			}
 		}
 	}
 
diff --git a/settings/js/apps.js b/settings/js/apps.js
index 3bc3488e490..8c266c66e4b 100644
--- a/settings/js/apps.js
+++ b/settings/js/apps.js
@@ -134,7 +134,7 @@ OC.Settings.Apps = OC.Settings.Apps || {
 					if(container.children('li[data-id="'+entry.id+'"]').length === 0){
 						var li=$('<li></li>');
 						li.attr('data-id', entry.id);
-						var img= $('<img></img>').attr({ src: entry.icon, class:'icon'});
+						var img= $('<img class="icon"/>').attr({ src: entry.icon});
 						var a=$('<a></a>').attr('href', entry.href);
 						a.text(entry.name);
 						a.prepend(img);
diff --git a/settings/js/users.js b/settings/js/users.js
index da18b4be836..086b0884a3b 100644
--- a/settings/js/users.js
+++ b/settings/js/users.js
@@ -308,7 +308,7 @@ $(document).ready(function () {
 		event.stopPropagation();
 		var img = $(this);
 		var uid = img.parent().parent().attr('data-uid');
-		var displayName = img.parent().parent().attr('data-displayName');
+		var displayName = escapeHTML(img.parent().parent().attr('data-displayName'));
 		var input = $('<input type="text" value="' + displayName + '">');
 		img.css('display', 'none');
 		img.parent().children('span').replaceWith(input);
@@ -329,7 +329,7 @@ $(document).ready(function () {
 			}
 		});
 		input.blur(function () {
-			$(this).replaceWith($(this).val());
+			$(this).replaceWith(escapeHTML($(this).val()));
 			img.css('display', '');
 		});
 	});