diff options
| author | Lukas Reschke <lukas@owncloud.com> | 2016-02-11 19:56:56 +0300 |
|---|---|---|
| committer | Lukas Reschke <lukas@owncloud.com> | 2016-02-11 19:57:08 +0300 |
| commit | be44304e5cdaa9d132bd1d21407040a440123c4f (patch) | |
| tree | 68f66a4ff3ccd45b904d30960bebd17e39b74aa4 /js | |
| parent | e80d64e8d43405065cb3b2e43e0a333155e5c1f6 (diff) | |
Escape HTML
Fixes two XSS vulnerabilities within the JS.
Diffstat (limited to 'js')
| -rwxr-xr-x | js/viewer.js | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/js/viewer.js b/js/viewer.js index b91aa0a..c7dfd50 100755 --- a/js/viewer.js +++ b/js/viewer.js @@ -9,8 +9,8 @@ var videoViewer = { // insert HTML $('<div id="videoplayer_overlay" style="display:none;"><div id="videoplayer_outer_container"><div id="videoplayer_container"><div id="videoplayer"></div></div></div></div>').appendTo('body'); var playerView = videoViewer.UI.playerTemplate - .replace(/%type%/g, videoViewer.mime) - .replace(/%src%/g, videoViewer.location) + .replace(/%type%/g, escapeHTML(videoViewer.mime)) + .replace(/%src%/g, escapeHTML(videoViewer.location)) ; $(playerView).prependTo('#videoplayer'); // add event to overlay |