Escape file names and types in filepicker.

owncloud · May 14, 2013 · 752a316 · 752a316
1 parent 256e53b
commit 752a316
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/core/js/oc-dialogs.js b/core/js/oc-dialogs.js
@@ -219,7 +219,7 @@ var OCdialogs = {
 		var entry_template = '<div data-entryname="*ENTRYNAME*" data-dcid="'+dialog_content_id+'" data="*ENTRYTYPE*"><img src="*MIMETYPEICON*" style="margin-right:1em;"><span class="filename">*NAME*</span><div style="float:right;margin-right:1em;">*LASTMODDATE*</div></div>';
 		var names = '';
 		$.each(r.data, function(index, a) {
-			names += entry_template.replace('*LASTMODDATE*', OC.mtime2date(a.mtime)).replace('*NAME*', a.name).replace('*MIMETYPEICON*', a.mimetype_icon).replace('*ENTRYNAME*', a.name).replace('*ENTRYTYPE*', a.type);
+			names += entry_template.replace('*LASTMODDATE*', OC.mtime2date(a.mtime)).replace('*NAME*', escapeHTML(a.name)).replace('*MIMETYPEICON*', a.mimetype_icon).replace('*ENTRYNAME*', escapeHTML(a.name)).replace('*ENTRYTYPE*', escapeHTML(a.type));
 		});
 
 		$(dialog_content_id + ' #filelist').html(names).on('click', '[data="file"]', function() {