Merge pull request #851 from LukasReschke/sanitize-file-name

Sanitize file name
webodf · Jan 5, 2015 · 60a1269 · 60a1269
2 parents 4b06c28 + 9d170f8
commit 60a1269
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -19,7 +19,7 @@ See also section about WebODF
 ### Fixes
 
 * Only highlight ODF fields in edit mode ([#816](https://github.com/kogmbh/WebODF/issues/816))
-
+* Prevent Cross-Site Scripting from file names ([#851](https://github.com/kogmbh/WebODF/pull/851)))
 
 ## Wodo.TextEditor
 See also section about WebODF

diff --git a/programs/viewer/viewer.js b/programs/viewer/viewer.js
@@ -259,7 +259,9 @@ function Viewer(viewerPlugin) {
         url = location;
         filename = url.replace(/^.*[\\\/]/, '');
         document.title = filename;
-        document.getElementById('documentName').innerHTML = document.title;
+        var documentName = document.getElementById('documentName');
+        documentName.innerHTML = "";
+        documentName.appendChild(documentName.ownerDocument.createTextNode(document.title));
 
         viewerPlugin.onLoad = function () {
             document.getElementById('pluginVersion').innerHTML = viewerPlugin.getPluginVersion();

diff --git a/webodf/lib/odf/OdfCanvas.js b/webodf/lib/odf/OdfCanvas.js
@@ -1195,7 +1195,8 @@
             // FIXME: We need to support parametrized strings, because
             // drop-in word replacements are inadequate for translations;
             // see http://techbase.kde.org/Development/Tutorials/Localization/i18n_Mistakes#Pitfall_.232:_Word_Puzzles
-            element.innerHTML = runtime.tr('Loading') + ' ' + url + '...';
+            element.innerHTML = "";
+            element.appendChild(element.ownerDocument.createTextNode(runtime.tr('Loading') + url + '...'));
             element.removeAttribute('style');
             // open the odf container
             odfcontainer = new odf.OdfContainer(url, function (container) {