LPS-27280 - escape uploadProgressId and fileName in upload_progress_p…

…oller
liferay · May 16, 2012 · 9f561f3 · 9f561f3
1 parent c0f9004
commit 9f561f3
Showing 1 changed file with 13 additions and 1 deletion.
diff --git a/portal-web/docroot/html/portal/upload_progress_poller.jsp b/portal-web/docroot/html/portal/upload_progress_poller.jsp
@@ -47,7 +47,19 @@ if (percent.floatValue() >= 100) {
 <body>
 
 <script type="text/javascript">
-	parent.<%= HtmlUtil.escape(uploadProgressId) %>.updateBar(<%= percent.intValue() %>, "<%= fileName %>");
+	;(function() {
+		var progressId = parent['<%= HtmlUtil.escapeJS(uploadProgressId) %>'];
+
+		var hasOwnProperty = Object.prototype.hasOwnProperty;
+
+		if (progressId && hasOwnProperty(progressId, 'updateBar')) {
+			var updateBar = progressId.updateBar;
+
+			if (typeof updateBar == 'function') {
+				progressId.updateBar(<%= percent.intValue() %>, "<%= HtmlUtil.escapeJS(fileName) %>");
+			}
+		}
+	}());
 
 	<c:if test="<%= percent.intValue() < 100 %>">
 		setTimeout("window.location.reload();", 1000);