diff --git a/media/scripts/app/views/share.js b/media/scripts/app/views/share.js
index fe9b5fe340..a63333805b 100644
--- a/media/scripts/app/views/share.js
+++ b/media/scripts/app/views/share.js
@@ -51,7 +51,7 @@ define([
render: function () {
this.$el.html(this.template({
title: gettext("Share {placeholder}")
- .replace('{placeholder}', '' + this.obj_name + ''),
+ .replace('{placeholder}', '' + Common.HTMLescape(this.obj_name) + ''),
is_dir: this.is_dir,
is_repo_owner: this.is_repo_owner,
is_virtual: this.is_virtual,
@@ -281,11 +281,11 @@ define([
var after_op_success = function(data) {
$.modal.close();
var msg = gettext("Successfully sent to {placeholder}")
- .replace('{placeholder}', data['send_success'].join(', '));
+ .replace('{placeholder}', Common.HTMLescape(data['send_success'].join(', ')));
Common.feedback(msg, 'success');
if (data['send_failed'].length > 0) {
msg += '
' + gettext("Failed to send to {placeholder}")
- .replace('{placeholder}', data['send_failed'].join(', '));
+ .replace('{placeholder}', Common.HTMLescape(data['send_failed'].join(', ')));
Common.feedback(msg, 'info');
}
};
@@ -452,11 +452,11 @@ define([
var after_op_success = function (data) {
$.modal.close();
var msg = gettext("Successfully shared to {placeholder}")
- .replace('{placeholder}', data['shared_success'].join(', '));
+ .replace('{placeholder}', Common.HTMLescape(data['shared_success'].join(', ')));
Common.feedback(msg, 'success');
if (data['shared_failed'].length > 0) {
msg += '
' + gettext("Failed to share to {placeholder}")
- .replace('{placeholder}', data['shared_failed'].join(', '));
+ .replace('{placeholder}', Common.HTMLescape(data['shared_failed'].join(', ')));
Common.feedback(msg, 'info');
}
};
@@ -534,11 +534,11 @@ define([
var after_op_success = function(data) {
$.modal.close();
var msg = gettext("Successfully shared to {placeholder}")
- .replace('{placeholder}', data['shared_success'].join(', '));
+ .replace('{placeholder}', Common.HTMLescape(data['shared_success'].join(', ')));
Common.feedback(msg, 'success');
if (data['shared_failed'].length > 0) {
msg += '
' + gettext("Failed to share to {placeholder}")
- .replace('{placeholder}', data['shared_failed'].join(', '));
+ .replace('{placeholder}', Common.HTMLescape(data['shared_failed'].join(', ')));
Common.feedback(msg, 'info');
}
};
diff --git a/seahub/share/views.py b/seahub/share/views.py
index 2cd8ea233e..4bf5c247ae 100644
--- a/seahub/share/views.py
+++ b/seahub/share/views.py
@@ -1368,7 +1368,6 @@ def ajax_get_upload_link(request):
username=username).filter(path=path)
if len(l) > 0:
token = l[0].token
- print token
data = {
'upload_link': gen_shared_upload_link(token),
'token': token,
@@ -1572,7 +1571,7 @@ def ajax_private_share_dir(request):
if not check_user_share_quota(username, shared_repo, users=share_to_users,
groups=share_to_groups):
- result['error'] = _(('Failed to share "%s", no enough quota. Upgrade account.') % shared_repo.name)
+ result['error'] = _(('Failed to share "%s", no enough quota. Upgrade account.') % escape(shared_repo.name))
return HttpResponse(json.dumps(result), status=400, content_type=content_type)
for email in share_to_users: