From 81db48c1a9d38a56cd9cdc27eb954fcb0ab88139 Mon Sep 17 00:00:00 2001
From: benweet <benoit.schweblin@gmail.com>
Date: Sun, 3 Nov 2013 22:34:41 +0000
Subject: [PATCH] Escape file titles in recovery page

---
 public/recovery.html | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/public/recovery.html b/public/recovery.html
index 2a46d8fc..92e3c641 100644
--- a/public/recovery.html
+++ b/public/recovery.html
@@ -42,6 +42,21 @@
                 elt.className = elt.className.replace(/ hide/, '');
             }
 
+            var entityMap = {
+                "&": "&amp;",
+                "<": "&lt;",
+                ">": "&gt;",
+                '"': '&quot;',
+                "'": '&#39;',
+                "/": '&#x2F;'
+            };
+            
+            function escapeHtml(string) {
+                return String(string).replace(/[&<>"'\/]/g, function(s) {
+                    return entityMap[s];
+                });
+            }
+            
             function listFiles() {      
                 // List files
                 var fileListElt = document.querySelector('.file-list');
@@ -56,7 +71,7 @@
                         '<a href="javascript:removeFile(\'',
                         fileIndex,
                         '\')" class="icon-trash"></a> ',
-                        fileTitle,
+                        escapeHtml(fileTitle),
                     ].join('');
                     fileListElt.appendChild(divElt);
                 }