From 1d29636008957ea39f9be06d38bb5998f699e798 Mon Sep 17 00:00:00 2001
From: Max Fichtelmann <max.fichtelmann@procilon.de>
Date: Mon, 29 Jul 2019 17:44:01 +0200
Subject: fix XSS when adding a file with a malicious name to favorites

Signed-off-by: Max Fichtelmann <max.fichtelmann@procilon.de>
---
 apps/files/js/tagsplugin.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

(limited to 'apps/files/js')

diff --git a/apps/files/js/tagsplugin.js b/apps/files/js/tagsplugin.js
index 008fe752b6b..572a399063e 100644
--- a/apps/files/js/tagsplugin.js
+++ b/apps/files/js/tagsplugin.js
@@ -103,7 +103,7 @@
 		var innerTagA = document.createElement('A');
 		innerTagA.setAttribute("href", url);
 		innerTagA.setAttribute("class", "nav-icon-files svg");
-		innerTagA.innerHTML = appName;
+		innerTagA.innerHTML = _.escape(appName);
 
 		var length = listLIElements.length + 1;
 		var innerTagLI = document.createElement('li');
-- 
cgit v1.2.3