From 4868742fd184c6d9c9158490098c7c4a5793a8fc Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@owncloud.com>
Date: Mon, 1 Dec 2014 13:25:40 +0100
Subject: [PATCH] Sanitize paragraph and font names

---
 programs/editor/widgets/fontPicker.js      | 9 +++++----
 programs/editor/widgets/paragraphStyles.js | 9 +++++----
 2 files changed, 10 insertions(+), 8 deletions(-)

diff --git a/programs/editor/widgets/fontPicker.js b/programs/editor/widgets/fontPicker.js
index fd3e60629..27758a755 100644
--- a/programs/editor/widgets/fontPicker.js
+++ b/programs/editor/widgets/fontPicker.js
@@ -23,9 +23,10 @@
  */
 /*global define,require,document */
 define("webodf/editor/widgets/fontPicker", [
-    "dijit/form/Select"],
+    "dijit/form/Select",
+    "dojox/html/entities"],
 
-    function (Select) {
+    function (Select, htmlEntities) {
         "use strict";
 
         /**
@@ -91,7 +92,7 @@ define("webodf/editor/widgets/fontPicker", [
                     name = documentFonts[i].name;
                     family = documentFonts[i].family || name;
                     selectionList.push({
-                        label: '<span style="font-family: ' + family + ';">' + name + '</span>',
+                        label: '<span style="font-family: ' + htmlEntities.encode(family) + ';">' + htmlEntities.encode(name)+ '</span>',
                         value: name
                     });
                 }
@@ -104,7 +105,7 @@ define("webodf/editor/widgets/fontPicker", [
                 // Lastly populate the fonts provided by the editor
                 for (i = 0; i < editorFonts.length; i += 1) {
                     selectionList.push({
-                        label: '<span style="font-family: ' + editorFonts[i] + ';">' + editorFonts[i] + '</span>',
+                        label: '<span style="font-family: ' + htmlEntities.encode(editorFonts[i]) + ';">' + htmlEntities.encode(editorFonts[i]) + '</span>',
                         value: editorFonts[i]
                     });
                 }
diff --git a/programs/editor/widgets/paragraphStyles.js b/programs/editor/widgets/paragraphStyles.js
index 595693142..a8e5a1a7e 100644
--- a/programs/editor/widgets/paragraphStyles.js
+++ b/programs/editor/widgets/paragraphStyles.js
@@ -26,9 +26,10 @@
 
 define("webodf/editor/widgets/paragraphStyles", [
     "dijit/form/Select",
+    "dojox/html/entities",
     "webodf/editor/EditorSession"],
 
-    function (Select, EditorSession) {
+    function (Select, htmlEntities, EditorSession) {
     "use strict"
 
     /**
@@ -83,7 +84,7 @@ define("webodf/editor/widgets/paragraphStyles", [
 
             for (i = 0; i < availableStyles.length; i += 1) {
                 selectionList.push({
-                    label: availableStyles[i].displayName || availableStyles[i].name,
+                    label: htmlEntities.encode(availableStyles[i].displayName) || htmlEntities.encode(availableStyles[i].name),
                     value: availableStyles[i].name
                 });
             }
@@ -102,8 +103,8 @@ define("webodf/editor/widgets/paragraphStyles", [
 
             newStyleElement = editorSession.getParagraphStyleElement(styleInfo.name);
             select.addOption({
-                value: styleInfo.name,
-                label: newStyleElement.getAttributeNS(stylens, 'display-name')
+                label: htmlEntities.encode(newStyleElement.getAttributeNS(stylens, 'display-name')),
+                value: styleInfo.name
             });
 
             if (self.onAdd) {