Escape file titles in recovery page

2013-11-03 22:34:41 +00:00 · 2013-11-03 22:34:41 +00:00 · 81db48c1a9
commit 81db48c1a9
parent d9b3b95f46
1 changed files with 16 additions and 1 deletions
--- a/public/recovery.html
+++ b/public/recovery.html
@ -42,6 +42,21 @@
                elt.className = elt.className.replace(/ hide/, '');
            }

+            var entityMap = {
+                "&": "&amp;",
+                "<": "&lt;",
+                ">": "&gt;",
+                '"': '&quot;',
+                "'": '&#39;',
+                "/": '&#x2F;'
+            };
+            
+            function escapeHtml(string) {
+                return String(string).replace(/[&<>"'\/]/g, function(s) {
+                    return entityMap[s];
+                });
+            }
+            
            function listFiles() {      
                // List files
                var fileListElt = document.querySelector('.file-list');
@ -56,7 +71,7 @@
                        '<a href="javascript:removeFile(\'',
                        fileIndex,
                        '\')" class="icon-trash"></a> ',
-                        fileTitle,
+                        escapeHtml(fileTitle),
                    ].join('');
                    fileListElt.appendChild(divElt);
                }