there was an xss script issue in preview iframes

fixes CNVS-17101 When you have a file with a <script> name, when no preview could be shown for that file, it would run the xss. This fixes that. Test Plan Given you are on new files And you create a file with the name <script>alert("Hi");</script> When you preview that file Then you should NOT see a pop up with the words Hi Change-Id: Iaaeddd9e0121707b6122a3095fa9127b06815d2b Reviewed-on: https://gerrit.instructure.com/44869 Reviewed-by: Dan Minkevitch <dan@instructure.com> Product-Review: Sterling Cobb <sterling@instructure.com> Tested-by: Jenkins <jenkins@instructure.com> QA-Review: Jahnavi Yetukuri <jyetukuri@instructure.com>
2014-11-24 16:20:18 -07:00 · 2014-11-24 16:20:18 -07:00 · 69ea170eb1
parent 75c7b96718
commit 69ea170eb1
1 changed files with 2 additions and 2 deletions
--- a/app/views/file_previews/no_preview.html.erb
+++ b/app/views/file_previews/no_preview.html.erb
@ -5,10 +5,10 @@
 <h2><%= @file.display_name %></h2>
 <div><%= t('file_previews.no_preview_available', 'No preview is available for this file.')%></div>
 <div>
-  <%= link_to(t('file_previews.download_file', 'Download *filename*', :wrapper => {'*' => @file.display_name}),
+  <%= link_to(t('file_previews.download_file', 'Download *filename*', :wrapper => {'*' => h(@file.display_name)}),
              context_url(@context, :context_file_download_url, @file.id, :download_frd => 1)) %>
  (<%= @file.readable_size %>)
 </div>
 </div>
 <%= render :partial => 'layouts/foot', :locals => { :include_common_bundle => true } %>
-</body>
+</body>