From 4a34ae6662e4cc950d318bc6d17691fc579c0a24 Mon Sep 17 00:00:00 2001
From: Nicola Murino <nicola.murino@gmail.com>
Date: Mon, 12 Sep 2022 12:14:40 +0200
Subject: [PATCH] WebClient: properly escape files/directories names

Fixes #981

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
---
 templates/webclient/base.html  |  8 ++++++++
 templates/webclient/files.html | 12 ++----------
 2 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/templates/webclient/base.html b/templates/webclient/base.html
index 79be2cb7..49387b86 100644
--- a/templates/webclient/base.html
+++ b/templates/webclient/base.html
@@ -228,6 +228,14 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
         function replaceSlash(str){
             return str.replace(/\//g,'\u2215');
         }
+
+        var escapeHTML = function ( t ) {
+		    return t
+			    .replace( /&/g, '&amp;' )
+			    .replace( /</g, '&lt;' )
+			    .replace( />/g, '&gt;' )
+			    .replace( /"/g, '&quot;' );
+	        };
     </script>
 
     <!-- Page level plugins -->
diff --git a/templates/webclient/files.html b/templates/webclient/files.html
index 434bcef5..ee4deac4 100644
--- a/templates/webclient/files.html
+++ b/templates/webclient/files.html
@@ -433,25 +433,17 @@ along with this program.  If not, see <https://www.gnu.org/licenses/>.
     var player;
     var playerKeepAlive;
 
-    var escapeHTML = function ( t ) {
-		return t
-			.replace( /&/g, '&amp;' )
-			.replace( /</g, '&lt;' )
-			.replace( />/g, '&gt;' )
-			.replace( /"/g, '&quot;' );
-	};
-
     function shortenData(d, cutoff) {
         if ( typeof d !== 'string' ) {
 			return d;
 		}
 
 		if ( d.length <= cutoff ) {
-			return d;
+			return escapeHTML(d);
 		}
 
         var shortened = d.substr(0, cutoff-1);
-        return shortened+'&#8230;';
+        return escapeHTML(shortened)+'&#8230;';
     }
 
     function openVideoPlayer(name, url, videoType){