ncp-web: escape HTML in details box

Jeanoo · Jan 11, 2019 · 6ba0cb0 · 6ba0cb0
1 parent 0ff1df9
commit 6ba0cb0
Show file tree

Hide file tree

Showing 2 changed files with 13 additions and 4 deletions.
diff --git a/changelog.md b/changelog.md
@@ -1,7 +1,11 @@
 
-[v1.0.2](https://github.com/nextcloud/nextcloudpi/commit/a2f79d2) (2019-01-09) wizard: dont change missing parameters
+[v1.1.1](https://github.com/nextcloud/nextcloudpi/commit/a95bc68) (2019-01-10) ncp-web: escape HTML in details box
 
-[v1.0.1](https://github.com/nextcloud/nextcloudpi/commit/f722c45) (2019-01-08) nc-update-nc: remove backup after restoring
+[v1.1.0](https://github.com/nextcloud/nextcloudpi/commit/0ff1df9) (2019-01-08) upgrade to NC15
+
+[v1.0.2  ](https://github.com/nextcloud/nextcloudpi/commit/06b00e4) (2019-01-09) wizard: dont change missing parameters
+
+[v1.0.1  ](https://github.com/nextcloud/nextcloudpi/commit/f722c45) (2019-01-08) nc-update-nc: remove backup after restoring
 
 [v1.0.0  ](https://github.com/nextcloud/nextcloudpi/commit/013198c) (2019-01-08) ncp-config: allow empty values
 

diff --git a/ncp-web/js/ncp.js b/ncp-web/js/ncp.js
@@ -164,7 +164,8 @@ function filter_apps(e)
     search_box.value = '';
     var input = $$('#' + match.id + '-config-box input');
     input.focus();
-    input.selectionStart = input.selectionEnd = input.value.length;
+    if( input.getAttribute('type') != 'checkbox' )
+      input.selectionStart = input.selectionEnd = input.value.length;
     $('#search-box').animate( {$width: '0px'}, 150 ).then(function() { $('#search-box').hide(); });
     history.pushState(null, selectedID, "?app=" + selectedID);
     return;
@@ -209,6 +210,10 @@ $(function()
   $('#poweroff-dialog').hide();
   $('#overlay').hide();
 
+  function escapeHTML(str) {
+    return str.replace(/&/g,'&amp;').replace(/</g,'&lt;').replace(/>/g,'&gt;');
+  }
+
   source.addEventListener('message', function(e) 
     {
       if ( e.origin != 'https://' + window.location.hostname + ':4443') 
@@ -220,7 +225,7 @@ $(function()
       if (!selectedID) return;
       var box_l = $('#' + selectedID + '-details-box');
       var box   = box_l[0];
-      box_l.ht( box.innerHTML + e.data + '<br>' );
+      box_l.ht( box.innerHTML + escapeHTML(e.data) + '<br>' );
       box.scrollTop = box.scrollHeight;
     }, false);