addressing jsverifyRngState 8b8f0d4ec2a67139b5, fixes HTML injection via filename, closes #554

2019-12-25 09:14:32 +01:00
parent ddaee6486d
commit 8d0ac336d2
5 changed files with 11 additions and 6 deletions
--- a/js/test/AttachmentViewer.js
+++ b/js/test/AttachmentViewer.js
@@ -25,7 +25,7 @@ describe('AttachmentViewer', function () {
                        mimeType.match(/\/pdf/i)
                    ),
                    results = [];
-                prefix = prefix.replace(/%(s|d)/g, '%%');
+                prefix  = prefix.replace(/%(s|d)/g, '%%');
                postfix = postfix.replace(/%(s|d)/g, '%%');
                $('body').html(
                    '<div id="attachment" role="alert" class="hidden alert ' +
@@ -90,7 +90,7 @@ describe('AttachmentViewer', function () {
                    results.push(
                        element.children()[0].href === data &&
                        element.children()[0].getAttribute('download') === filename &&
-                        element.children()[0].text === prefix + filename + postfix
+                        element.children()[0].text === $('<div />').text(prefix + filename + postfix).html()
                    );
                } else {
                    results.push(element.children()[0].href === data);