diff --git a/core/js/js.js b/core/js/js.js
index cf35d8aac6a9af972807cf823904d51fc180759b..21a2d4c1b35c5317e29bfb91625c17585cae7d0e 100644
--- a/core/js/js.js
+++ b/core/js/js.js
@@ -154,7 +154,7 @@ function n(app, text_singular, text_plural, count, vars) {
* @return {string} Sanitized string
*/
function escapeHTML(s) {
- return s.toString().split('&').join('&').split('<').join('<').split('"').join('"');
+ return s.toString().split('&').join('&').split('<').join('<').split('>').join('>').split('"').join('"').split('\'').join(''');
}
/**
diff --git a/core/js/tests/specs/coreSpec.js b/core/js/tests/specs/coreSpec.js
index 65f768fbc5173416387e57e0dfdc234e8632b02d..233c4d5a0b4222ab7d84938842ffabf6ebe89c98 100644
--- a/core/js/tests/specs/coreSpec.js
+++ b/core/js/tests/specs/coreSpec.js
@@ -124,6 +124,17 @@ describe('Core base tests', function() {
expect(OC.dirname('/subdir/')).toEqual('/subdir');
});
});
+ describe('escapeHTML', function() {
+ it('Returns nothing if no string was given', function() {
+ expect(escapeHTML('')).toEqual('');
+ });
+ it('Returns a sanitized string if a string containing HTML is given', function() {
+ expect(escapeHTML('There needs to be a <script>alert(\"Unit\" + \'test\')</script> for it!')).toEqual('There needs to be a <script>alert("Unit" + 'test')</script> for it!');
+ });
+ it('Returns the string without modification if no potentially dangerous character is passed.', function() {
+ expect(escapeHTML('This is a good string without HTML.')).toEqual('This is a good string without HTML.');
+ });
+ });
describe('Link functions', function() {
var TESTAPP = 'testapp';
var TESTAPP_ROOT = OC.webroot + '/appsx/testapp';