diff options
| author | Arne Georg Gleditsch <argggh@lxr.linpro.no> | 2010-02-05 14:52:07 +0100 |
|---|---|---|
| committer | Arne Georg Gleditsch <argggh@lxr.linpro.no> | 2010-02-05 14:52:07 +0100 |
| commit | 5196a63710f4efce0e46961f0f2e7d321bf72d96 (patch) | |
| tree | c07ee633cf1ba267f4d8706ff540f19a7c6789a9 /webroot | |
| parent | 236cfb9a32a8daddfb0a3f4b190386046b0989d9 (diff) | |
Fix embarrasing XSS holes.
Diffstat (limited to 'webroot')
| -rw-r--r-- | webroot/.static/js/lxrng-funcs.js | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/webroot/.static/js/lxrng-funcs.js b/webroot/.static/js/lxrng-funcs.js index 8a6720f..a612055 100644 --- a/webroot/.static/js/lxrng-funcs.js +++ b/webroot/.static/js/lxrng-funcs.js @@ -264,14 +264,14 @@ function load_file_finalize(content) { res.innerHTML = 'Done'; res.innerHTML = content; var head = document.getElementById('current_path'); - head.innerHTML = '<a class=\"fref\" href=\".\">' + pending_tree + '</a>'; + head.innerHTML = '<a class=\"fref\" href=\".\">' + escape(pending_tree) + '</a>'; var path_walked = ''; var elems = pending_file.split(/\//); for (var i = 0; i < elems.length; i++) { if (elems[i] != '') { head.innerHTML = head.innerHTML + '/' + - '<a class=\"fref\" href=\"' + path_walked + elems[i] + - '\">' + elems[i] + '</a>'; + '<a class=\"fref\" href=\"' + escape(path_walked) + escape(elems[i]) + + '\">' + escape(elems[i]) + '</a>'; path_walked = path_walked + elems[i] + '/'; } } |