From 6e424eb990e7640f6d8f2cb25fe97024ebd95a05 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sun, 13 Apr 2014 15:24:35 +0200 Subject: Also encode > and ' --- core/js/js.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/js/js.js b/core/js/js.js index f10c7163092..b712da4bd02 100644 --- a/core/js/js.js +++ b/core/js/js.js @@ -151,7 +151,7 @@ function n(app, text_singular, text_plural, count, vars) { * @return Sanitized string */ function escapeHTML(s) { - return s.toString().split('&').join('&').split('<').join('<').split('"').join('"'); + return s.toString().split('&').join('&').split('<').join('<').split('>').join('>').split('"').join('"').split('\'').join('''); } /** -- cgit v1.2.3 From 360a79b8f492ec8597c1ec8a55c1dde2837c8104 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Wed, 28 May 2014 22:14:05 +0200 Subject: Add unit tests for escapeHTML --- core/js/tests/specs/coreSpec.js | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js index ccd9f7a1288..fb237bad5df 100644 --- a/core/js/tests/specs/coreSpec.js +++ b/core/js/tests/specs/coreSpec.js @@ -124,6 +124,17 @@ describe('Core base tests', function() { expect(OC.dirname('/subdir/')).toEqual('/subdir'); }); }); + describe('escapeHTML', function() { + it('Returns nothing if no string was given', function() { + expect(escapeHTML('')).toEqual(''); + }); + it('Returns a sanitized string if a string containing HTML is given', function() { + expect(escapeHTML('There needs to be a for it!')).toEqual('There needs to be a <script>alert("Unit" + 'test')</script> for it!'); + }); + it('Returns the string without modification if no potential dangerous character is passed.', function() { + expect(escapeHTML('This is a good string without HTML.')).toEqual('This is a good string without HTML.'); + }); + }); describe('Link functions', function() { var TESTAPP = 'testapp'; var TESTAPP_ROOT = OC.webroot + '/appsx/testapp'; -- cgit v1.2.3 From 603b6c13b4a187766b33b49c7923399e78e18295 Mon Sep 17 00:00:00 2001 From: Lukas Reschke Date: Sat, 31 May 2014 21:11:29 +0200 Subject: Fix typo --- core/js/tests/specs/coreSpec.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js index fb237bad5df..dea4d4b91cf 100644 --- a/core/js/tests/specs/coreSpec.js +++ b/core/js/tests/specs/coreSpec.js @@ -131,7 +131,7 @@ describe('Core base tests', function() { it('Returns a sanitized string if a string containing HTML is given', function() { expect(escapeHTML('There needs to be a for it!')).toEqual('There needs to be a <script>alert("Unit" + 'test')</script> for it!'); }); - it('Returns the string without modification if no potential dangerous character is passed.', function() { + it('Returns the string without modification if no potentially dangerous character is passed.', function() { expect(escapeHTML('This is a good string without HTML.')).toEqual('This is a good string without HTML.'); }); }); -- cgit v1.2.3