From 4bc88ef59d0f57b850c88c17469547ec66f76e79 Mon Sep 17 00:00:00 2001
From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Mon, 4 Jun 2012 16:22:25 +0200
Subject: [PATCH] prevent xss attacks by manipulating image file names

---
 apps/files_imageviewer/js/lightbox.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/apps/files_imageviewer/js/lightbox.js b/apps/files_imageviewer/js/lightbox.js
index fe8b975309..7a7fb66385 100644
--- a/apps/files_imageviewer/js/lightbox.js
+++ b/apps/files_imageviewer/js/lightbox.js
@@ -25,7 +25,7 @@ function viewImage(dir, file) {
 	var location=OC.filePath('files','ajax','download.php')+'?files='+file+'&dir='+dir;
 	$.fancybox({
 		"href": location,
-		"title": file,
+		"title": file.replace(/</, "&lt;").replace(/>/, "&gt;"),
 		"titlePosition": "inside"
 	});
 }
-- 
GitLab