Sanitize file-names

Otherwise a DOM-based XSS is possible.
webodf · Dec 19, 2014 · 9d170f8 · 9d170f8
1 parent 4b06c28
commit 9d170f8
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 3 deletions.
diff --git a/ChangeLog.md b/ChangeLog.md
@@ -19,7 +19,7 @@ See also section about WebODF
 ### Fixes
 
 * Only highlight ODF fields in edit mode ([#816](https://github.com/kogmbh/WebODF/issues/816))
-
+* Prevent Cross-Site Scripting from file names ([#851](https://github.com/kogmbh/WebODF/pull/851)))
 
 ## Wodo.TextEditor
 See also section about WebODF

diff --git a/programs/viewer/viewer.js b/programs/viewer/viewer.js
@@ -259,7 +259,9 @@ function Viewer(viewerPlugin) {
         url = location;
         filename = url.replace(/^.*[\\\/]/, '');
         document.title = filename;
-        document.getElementById('documentName').innerHTML = document.title;
+        var documentName = document.getElementById('documentName');
+        documentName.innerHTML = "";
+        documentName.appendChild(documentName.ownerDocument.createTextNode(document.title));
 
         viewerPlugin.onLoad = function () {
             document.getElementById('pluginVersion').innerHTML = viewerPlugin.getPluginVersion();

diff --git a/webodf/lib/odf/OdfCanvas.js b/webodf/lib/odf/OdfCanvas.js
@@ -1195,7 +1195,8 @@
             // FIXME: We need to support parametrized strings, because
             // drop-in word replacements are inadequate for translations;
             // see http://techbase.kde.org/Development/Tutorials/Localization/i18n_Mistakes#Pitfall_.232:_Word_Puzzles
-            element.innerHTML = runtime.tr('Loading') + ' ' + url + '...';
+            element.innerHTML = "";
+            element.appendChild(element.ownerDocument.createTextNode(runtime.tr('Loading') + url + '...'));
             element.removeAttribute('style');
             // open the odf container
             odfcontainer = new odf.OdfContainer(url, function (container) {