From 14755b838ac2c7c0b1cf53c698a9b49707e7c576 Mon Sep 17 00:00:00 2001
From: steinm <steinm@577cc39b-cfd1-4aa2-8bc3-eda205cea05a>
Date: Tue, 11 Sep 2012 12:55:29 +0000
Subject: [PATCH] - prevent xss attack - no need to decodeString() in
 javascript anymore

---
 out/out.DocumentChooser.php | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/out/out.DocumentChooser.php b/out/out.DocumentChooser.php
index ea70874d8..922c1c128 100644
--- a/out/out.DocumentChooser.php
+++ b/out/out.DocumentChooser.php
@@ -87,7 +87,7 @@ function printTree($path, $level = 0)
 	for ($i = 0; $i < count($documents); $i++) {
 		print "<li>\n";
 		print "<img class='treeicon' src=\"images/blank.png\">";
-		print "<a  class=\"foldertree_selectable\" href=\"javascript:documentSelected(".$documents[$i]->getID().",'".str_replace("'", "\\'", $documents[$i]->getName())."');\"><img src=\"images/file.gif\" border=0>".htmlspecialchars($documents[$i]->getName())."</a>";
+		print "<a  class=\"foldertree_selectable\" href=\"javascript:documentSelected(".$documents[$i]->getID().",'".str_replace("'", "\\'", htmlspecialchars($documents[$i]->getName()))."');\"><img src=\"images/file.gif\" border=0>".htmlspecialchars($documents[$i]->getName())."</a>";
 		print "</li>";
 	}
 
@@ -126,7 +126,7 @@ var targetName;
 var targetID;
 
 function documentSelected(id, name) {
-	targetName.value = decodeString(name);
+	targetName.value = name; //decodeString(name);
 	targetID.value = id;
 	window.close();
 	return true;