From 9d170f8fe1d4776f59057e5e664a058858c9068d Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Wed, 3 Dec 2014 17:06:05 +0100
Subject: [PATCH] Sanitize file-names

Otherwise a DOM-based XSS is possible.
---
 ChangeLog.md                | 2 +-
 programs/viewer/viewer.js   | 4 +++-
 webodf/lib/odf/OdfCanvas.js | 3 ++-
 3 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/ChangeLog.md b/ChangeLog.md
index 4df6f6d2c..fee791cc1 100644
--- a/ChangeLog.md
+++ b/ChangeLog.md
@@ -19,7 +19,7 @@ See also section about WebODF
 ### Fixes
 
 * Only highlight ODF fields in edit mode ([#816](https://github.com/kogmbh/WebODF/issues/816))
-
+* Prevent Cross-Site Scripting from file names ([#851](https://github.com/kogmbh/WebODF/pull/851)))
 
 ## Wodo.TextEditor
 See also section about WebODF
diff --git a/programs/viewer/viewer.js b/programs/viewer/viewer.js
index fbbd66410..1df749ae8 100644
--- a/programs/viewer/viewer.js
+++ b/programs/viewer/viewer.js
@@ -259,7 +259,9 @@ function Viewer(viewerPlugin) {
         url = location;
         filename = url.replace(/^.*[\\\/]/, '');
         document.title = filename;
-        document.getElementById('documentName').innerHTML = document.title;
+        var documentName = document.getElementById('documentName');
+        documentName.innerHTML = "";
+        documentName.appendChild(documentName.ownerDocument.createTextNode(document.title));
 
         viewerPlugin.onLoad = function () {
             document.getElementById('pluginVersion').innerHTML = viewerPlugin.getPluginVersion();
diff --git a/webodf/lib/odf/OdfCanvas.js b/webodf/lib/odf/OdfCanvas.js
index 9d004ece5..7af1b4497 100644
--- a/webodf/lib/odf/OdfCanvas.js
+++ b/webodf/lib/odf/OdfCanvas.js
@@ -1195,7 +1195,8 @@
             // FIXME: We need to support parametrized strings, because
             // drop-in word replacements are inadequate for translations;
             // see http://techbase.kde.org/Development/Tutorials/Localization/i18n_Mistakes#Pitfall_.232:_Word_Puzzles
-            element.innerHTML = runtime.tr('Loading') + ' ' + url + '...';
+            element.innerHTML = "";
+            element.appendChild(element.ownerDocument.createTextNode(runtime.tr('Loading') + url + '...'));
             element.removeAttribute('style');
             // open the odf container
             odfcontainer = new odf.OdfContainer(url, function (container) {