]> granicus.if.org Git - transmission/commitdiff
projects / transmission / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 523d8c1)
HTML-escape torrent name displayed in trackers inspector tab
authorMike Gelfand <mikedld@mikedld.com>
Fri, 23 Feb 2018 19:37:20 +0000 (22:37 +0300)
committerMike Gelfand <mikedld@mikedld.com>
Tue, 17 Apr 2018 10:25:49 +0000 (13:25 +0300)
This will prevent injection of arbitrary HTML when multiple torrents are
selected. Follow-up to the previous commit.

web/javascript/inspector.js patch | blob | history

diff --git a/web/javascript/inspector.js b/web/javascript/inspector.js
index 917334dd3e86bb2ad303f14056419f200acc0225..419ad263b7b534c629a7a5329cae31f9d4f3668c 100644 (file)
--- a/web/javascript/inspector.js
+++ b/web/javascript/inspector.js
@@ -716,7 +716,7 @@ function Inspector(controller) {
                        html.push ('<div class="inspector_group">');
 
                        if (torrents.length > 1)
-                               html.push('<div class="inspector_torrent_label">', tor.getName(), '</div>');
+                               html.push('<div class="inspector_torrent_label">', sanitizeText(tor.getName()), '</div>');
 
                        tier = -1;
                        trackers = tor.getTrackers();
Unnamed repository; edit this file 'description' to name the repository.