From 982ada9aa789a1837244c1ee84e973e4f3ef594e Mon Sep 17 00:00:00 2001
From: Mac Chapman <mac@veryhappythings.co.uk>
Date: Thu, 14 May 2015 09:00:15 +0100
Subject: [PATCH 1/3] Escape HTML in uploaded image filenames.

Fixes #1293.
---
 wagtail/wagtailadmin/static/wagtailadmin/js/core.js  | 12 ++++++++++++
 .../static/wagtailimages/js/add-multiple.js          |  2 +-
 2 files changed, 13 insertions(+), 1 deletion(-)

diff --git a/wagtail/wagtailadmin/static/wagtailadmin/js/core.js b/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
index 17a5414e14..c81da08819 100644
--- a/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
+++ b/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
@@ -7,6 +7,18 @@ function addMessage(status, text) {
     }, 100);
 }
 
+function escapeHtml(text) {
+  var map = {
+    '&': '&amp;',
+    '<': '&lt;',
+    '>': '&gt;',
+    '"': '&quot;',
+    "'": '&#039;'
+  };
+
+  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
+}
+
 $(function() {
     // Add class to the body from which transitions may be hung so they don't appear to transition as the page loads
     $('body').addClass('ready');
diff --git a/wagtail/wagtailimages/static/wagtailimages/js/add-multiple.js b/wagtail/wagtailimages/static/wagtailimages/js/add-multiple.js
index 373e78a62b..a7c72a7e82 100644
--- a/wagtail/wagtailimages/static/wagtailimages/js/add-multiple.js
+++ b/wagtail/wagtailimages/static/wagtailimages/js/add-multiple.js
@@ -38,7 +38,7 @@ $(function() {
             }).always(function() {
                 data.context.removeClass('processing');
                 data.context.find('.left').each(function(index, elm) {
-                    $(elm).append(data.files[index].name);
+                    $(elm).append(escapeHtml(data.files[index].name));
                 });
 
                 data.context.find('.preview .thumb').each(function(index, elm) {

From 2058f846ce94c44df82c747a38c9c48680123410 Mon Sep 17 00:00:00 2001
From: Mac Chapman <mac@veryhappythings.co.uk>
Date: Thu, 14 May 2015 09:28:51 +0100
Subject: [PATCH 2/3] Fix indentation

---
 .../static/wagtailadmin/js/core.js             | 18 ++++++++++--------
 1 file changed, 10 insertions(+), 8 deletions(-)

diff --git a/wagtail/wagtailadmin/static/wagtailadmin/js/core.js b/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
index c81da08819..3fda079a72 100644
--- a/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
+++ b/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
@@ -8,15 +8,17 @@ function addMessage(status, text) {
 }
 
 function escapeHtml(text) {
-  var map = {
-    '&': '&amp;',
-    '<': '&lt;',
-    '>': '&gt;',
-    '"': '&quot;',
-    "'": '&#039;'
-  };
+    var map = {
+        '&': '&amp;',
+        '<': '&lt;',
+        '>': '&gt;',
+        '"': '&quot;',
+        "'": '&#039;'
+    };
 
-  return text.replace(/[&<>"']/g, function(m) { return map[m]; });
+    return text.replace(/[&<>"']/g, function(m) {
+        return map[m];
+    });
 }
 
 $(function() {

From e810bf47e8a79aa073d6e0f0449f3c8d924f3544 Mon Sep 17 00:00:00 2001
From: Mac Chapman <mac@veryhappythings.co.uk>
Date: Thu, 14 May 2015 10:19:56 +0100
Subject: [PATCH 3/3] Change quotes to match code style

---
 wagtail/wagtailadmin/static/wagtailadmin/js/core.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/wagtail/wagtailadmin/static/wagtailadmin/js/core.js b/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
index 3fda079a72..51f114e825 100644
--- a/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
+++ b/wagtail/wagtailadmin/static/wagtailadmin/js/core.js
@@ -13,7 +13,7 @@ function escapeHtml(text) {
         '<': '&lt;',
         '>': '&gt;',
         '"': '&quot;',
-        "'": '&#039;'
+        '\'': '&#039;'
     };
 
     return text.replace(/[&<>"']/g, function(m) {