fix file download from credential view

3 files changed, 13 insertions, 4 deletions

diff --git a/js/app/controllers/public_shared_credential.js b/js/app/controllers/public_shared_credential.js
index 7f055002..8d78221b 100644
--- a/js/app/controllers/public_shared_credential.js
+++ b/js/app/controllers/public_shared_credential.js
@@ -58,7 +58,7 @@
 						return;
 					}
 					var file_data = EncryptService.decryptString(result.file_data, _key);
-					download(file_data, escapeHTML(file.filename), file.mimetype);
+					download(file_data, ShareService.escapeHTML(file.filename), file.mimetype);
 				});
 			};
 		}]);
diff --git a/js/app/directives/credentialtemplate.js b/js/app/directives/credentialtemplate.js
index 8c4f7a76..34862847 100644
--- a/js/app/directives/credentialtemplate.js
+++ b/js/app/directives/credentialtemplate.js
@@ -49,7 +49,7 @@
 
 							}
 							var file_data = EncryptService.decryptString(result.file_data, key);
-							download(file_data, escapeHTML(file.filename), file.mimetype);
+							download(file_data, ShareService.escapeHTML(file.filename), file.mimetype);
 
 						};
 
@@ -65,4 +65,4 @@
 				}
 			};
 		}]);
-}());
\ No newline at end of file
+}());
diff --git a/js/app/services/shareservice.js b/js/app/services/shareservice.js
index 195555cf..c2841cf6 100644
--- a/js/app/services/shareservice.js
+++ b/js/app/services/shareservice.js
@@ -310,7 +310,16 @@
 
 						setTimeout(workload.bind(this), 0);
 					});
+				},
+
+				/**
+				 * Sanitizes a HTML string by replacing all potential dangerous characters with HTML entities
+				 * @param {string} s String to sanitize
+				 * @return {string} Sanitized string
+				 */
+				escapeHTML: function (s) {
+					return s.toString().split('&').join('&amp;').split('<').join('&lt;').split('>').join('&gt;').split('"').join('&quot;').split('\'').join('&#039;');
 				}
 			};
 		}]);
-}());
\ No newline at end of file
+}());