Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1

[Michael Banck <mbanck@debian.org>]

Hi,

On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
> On Tue, Dec  4, 2012 at 23:45:19 +0100, Michael Banck wrote:
> 
> > +Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
> > +===================================================================
> > +--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js	2012-12-04 22:47:26.810080751 +0100
> > ++++ owncloud-4.0.4debian2/apps/files/js/filelist.js	2012-12-04 22:47:26.874081078 +0100
> > +@@ -14,9 +14,9 @@
> > + 			var extension=false;
> > + 		}
> > + 		html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
> > +-		html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '&lt;').replace(/>/, '&gt;')+'/'+name+'"><span class="nametext">'+basename
> > ++		html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '&lt;').replace(/>/, '&gt;')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
> > + 		if(extension){
> > +-			html+='<span class="extension">'+extension+'</span>';
> > ++			html+='<span class="extension">'+escapeHTML(extension)+'</span>';
> > + 		}
> > + 		html+='</span></a></td>';
> > + 		if(size!='Pending'){
> 
> As far as I can tell this escapeHTML function is not defined in the
> current version?  Upstream git has it in core/js/js.js.

Good catch, this was added in 4.0.9, but not mentioned in the security
advisories AFAICT - so I have to fixup unstable as well :-/


Michael