Merge pull request #2062 from owncloud/shareType

Sanitize shareWith
author: Bernhard Posselt <nukeawhale@gmail.com> 2013-03-04 04:27:51 +0400
committer: Bernhard Posselt <nukeawhale@gmail.com> 2013-03-04 04:27:51 +0400
commit: 841daf484513a6d54275822e615a4310686b9e11 (patch)
tree: 104c81ce796bdf77068f01fe97bdb5f8512fb6cc /core
parent: b738aaba2a3f30e80a966c6d1af88f30b853cf1c (diff)
parent: 577945bd338e3f9b1f30aa026c84247f2720ecb6 (diff)
1 files changed, 3 insertions, 3 deletions
diff --git a/core/js/share.js b/core/js/share.js
index 145c31a86c8..34f24da4df7 100644
--- a/core/js/share.js
+++ b/core/js/share.js
@@ -309,12 +309,12 @@ OC.Share={
 			if (permissions & OC.PERMISSION_SHARE) {
 				shareChecked = 'checked="checked"';
 			}
-			var html = '<li style="clear: both;" data-share-type="'+shareType+'" data-share-with="'+shareWith+'" title="' + shareWith + '">';
+			var html = '<li style="clear: both;" data-share-type="'+escapeHTML(shareType)+'" data-share-with="'+escapeHTML(shareWith)+'" title="' + escapeHTML(shareWith) + '">';
 			html += '<a href="#" class="unshare" style="display:none;"><img class="svg" alt="'+t('core', 'Unshare')+'" src="'+OC.imagePath('core', 'actions/delete')+'"/></a>';
 			if(shareWith.length > 14){
-				html += shareWithDisplayName.substr(0,11) + '...';
+				html += escapeHTML(shareWithDisplayName.substr(0,11) + '...');
 			}else{
-				html += shareWithDisplayName;
+				html += escapeHTML(shareWithDisplayName);
 			}
 			if (possiblePermissions & OC.PERMISSION_CREATE || possiblePermissions & OC.PERMISSION_UPDATE || possiblePermissions & OC.PERMISSION_DELETE) {
 				if (editChecked == '') {
author	Bernhard Posselt <nukeawhale@gmail.com>	2013-03-04 04:27:51 +0400
committer	Bernhard Posselt <nukeawhale@gmail.com>	2013-03-04 04:27:51 +0400
commit	841daf484513a6d54275822e615a4310686b9e11 (patch)
tree	104c81ce796bdf77068f01fe97bdb5f8512fb6cc /core
parent	b738aaba2a3f30e80a966c6d1af88f30b853cf1c (diff)
parent	577945bd338e3f9b1f30aa026c84247f2720ecb6 (diff)