diff --git a/onionshare_gui/static/helpers.js b/onionshare_gui/static/helpers.js index 951320ba..8936c3e5 100644 --- a/onionshare_gui/static/helpers.js +++ b/onionshare_gui/static/helpers.js @@ -9,3 +9,52 @@ function human_readable_filesize(bytes, si) { } while(bytes >= thresh); return bytes.toFixed(1)+' '+units[u]; }; + +function htmlspecialchars(string, quote_style, charset, double_encode) { + var optTemp = 0, + i = 0, + noquotes = false; + if (typeof quote_style === 'undefined' || quote_style === null) { + quote_style = 2; + } + string = string.toString(); + if (double_encode !== false) { + // Put this first to avoid double-encoding + string = string.replace(/&/g, '&'); + } + string = string.replace(//g, '>'); + + var OPTS = { + 'ENT_NOQUOTES': 0, + 'ENT_HTML_QUOTE_SINGLE': 1, + 'ENT_HTML_QUOTE_DOUBLE': 2, + 'ENT_COMPAT': 2, + 'ENT_QUOTES': 3, + 'ENT_IGNORE': 4 + }; + if (quote_style === 0) { + noquotes = true; + } + if (typeof quote_style !== 'number') { + // Allow for a single string or an array of string flags + quote_style = [].concat(quote_style); + for (i = 0; i < quote_style.length; i++) { + // Resolve string input to bitwise e.g. 'ENT_IGNORE' becomes 4 + if (OPTS[quote_style[i]] === 0) { + noquotes = true; + } else if (OPTS[quote_style[i]]) { + optTemp = optTemp | OPTS[quote_style[i]]; + } + } + quote_style = optTemp; + } + if (quote_style & OPTS.ENT_HTML_QUOTE_SINGLE) { + string = string.replace(/'/g, '''); + } + if (!noquotes) { + string = string.replace(/"/g, '"'); + } + + return string; +} diff --git a/onionshare_gui/static/onionshare.js b/onionshare_gui/static/onionshare.js index 0e13f445..05e796bf 100644 --- a/onionshare_gui/static/onionshare.js +++ b/onionshare_gui/static/onionshare.js @@ -65,7 +65,7 @@ $(function(){ } } else { if(r.path != '/favicon.ico') - update($('').addClass('weblog-error').html(onionshare.strings['other_page_loaded']+': '+r.path)); + update($('').addClass('weblog-error').html(onionshare.strings['other_page_loaded']+': '+htmlspecialchars(r.path))); } } }