mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #1701 from owncloud/XSS-fixes 

Sanitize HTML
This commit is contained in:
Lukas Reschke 2013-02-14 10:50:46 -08:00
parent 7f1b8274a8 c7094197bf
commit 5624f1b838
2 changed files with 3 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
core/templates/layout.user.php
View File

@ -31,7 +31,7 @@
<ul id="settings" class="svg">
<span id="expand">
<?php echo OCP\User::getDisplayName($user=null)?OCP\User::getDisplayName($user=null):(OC_User::getUser()?OC_User::getUser():'') ?>
<?php echo OCP\User::getDisplayName($user=null)?OC_Util::sanitizeHTML(OCP\User::getDisplayName($user=null)):(OC_User::getUser()?OC_User::getUser():'') ?>
<img class="svg" src="<?php echo image_path('', 'actions/caret.svg'); ?>" />
</span>
<div id="expanddiv">

4
settings/js/users.js
View File

@ -308,7 +308,7 @@ $(document).ready(function () {
event.stopPropagation();
var img = $(this);
var uid = img.parent().parent().attr('data-uid');
var displayName = img.parent().parent().attr('data-displayName');
var displayName = escapeHTML(img.parent().parent().attr('data-displayName'));
var input = $('<input type="text" value="' + displayName + '">');
img.css('display', 'none');
img.parent().children('span').replaceWith(input);
@ -329,7 +329,7 @@ $(document).ready(function () {
}
});
input.blur(function () {
$(this).replaceWith($(this).val());
$(this).replaceWith(escapeHTML($(this).val()));
img.css('display', '');
});
});