Bug#695174: t-p-u pre-approval owncloud/4.0.4debian2-3.1
Hi,
On Wed, Dec 05, 2012 at 10:55:56AM +0100, Julien Cristau wrote:
> On Tue, Dec 4, 2012 at 23:45:19 +0100, Michael Banck wrote:
>
> > +Index: owncloud-4.0.4debian2/apps/files/js/filelist.js
> > +===================================================================
> > +--- owncloud-4.0.4debian2.orig/apps/files/js/filelist.js 2012-12-04 22:47:26.810080751 +0100
> > ++++ owncloud-4.0.4debian2/apps/files/js/filelist.js 2012-12-04 22:47:26.874081078 +0100
> > +@@ -14,9 +14,9 @@
> > + var extension=false;
> > + }
> > + html+='<td class="filename" style="background-image:url('+img+')"><input type="checkbox" />';
> > +- html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+name+'"><span class="nametext">'+basename
> > ++ html+='<a class="name" href="download.php?file='+$('#dir').val().replace(/</, '<').replace(/>/, '>')+'/'+escapeHTML(name)+'"><span class="nametext">'+escapeHTML(basename);
> > + if(extension){
> > +- html+='<span class="extension">'+extension+'</span>';
> > ++ html+='<span class="extension">'+escapeHTML(extension)+'</span>';
> > + }
> > + html+='</span></a></td>';
> > + if(size!='Pending'){
>
> As far as I can tell this escapeHTML function is not defined in the
> current version? Upstream git has it in core/js/js.js.
Good catch, this was added in 4.0.9, but not mentioned in the security
advisories AFAICT - so I have to fixup unstable as well :-/
Michael
Reply to: