From 85ac75b4f4bbe9f55ac5e959a76027cb1be3a68e Mon Sep 17 00:00:00 2001
From: Bjoern Schiessle <schiessle@owncloud.com>
Date: Mon, 25 Jun 2012 12:38:11 +0200
Subject: [PATCH] xss vulnerability fixed

---
 apps/gallery/templates/index.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/apps/gallery/templates/index.php b/apps/gallery/templates/index.php
index 1fdbea5957..e30052fafa 100644
--- a/apps/gallery/templates/index.php
+++ b/apps/gallery/templates/index.php
@@ -14,7 +14,7 @@ div.visible { opacity: 0.8;}
 </style>
 <script type="text/javascript">
 
-var root = "<?php echo htmlentities($root); ?>";
+var root = "<?php echo $root; ?>";
 
 function explode(element) {
 	$('div', element).each(function(index, elem) {
@@ -64,7 +64,7 @@ $(document).ready(function() {
 		for ($i = 0; $i < count($paths); $i++) {
 			$path .= urlencode($paths[$i]).'/';
 			$classess = 'crumb'.($i == count($paths)-1?' last':'');
-			echo '<div class="'.$classess.'" style="background-image:url(\''.\OCP\image_path('core','breadcrumb.png').'\')"><a href="'.\OCP\Util::linkTo('gallery', 'index.php').'&root='.$path.'">'.$paths[$i].'</a></div>';
+			echo '<div class="'.$classess.'" style="background-image:url(\''.\OCP\image_path('core','breadcrumb.png').'\')"><a href="'.\OCP\Util::linkTo('gallery', 'index.php').'&root='.$path.'">'.\OCP\Util::sanitizeHTML($paths[$i]).'</a></div>';
 		}
 	}
 		
-- 
GitLab