diff --git a/www/common/toolbar.js b/www/common/toolbar.js index 1669d8465..ac68e27eb 100644 --- a/www/common/toolbar.js +++ b/www/common/toolbar.js @@ -207,32 +207,35 @@ define([ var anonymous = numberOfEditUsers - editUsersNames.length; // Update the userlist + var $usersTitle = $('
'); if (readOnly !== 1) { - editUsersNames.unshift('' + Messages.yourself + ''); + $editUsers.append('' + Messages.yourself + ''); anonymous--; } + if (editUsersNames.length > 0) { + $editUsersList.text(editUsersNames.join('\n')); // .text() to avoid XSS + $editUsers.append($editUsersList); + } if (anonymous > 0) { var text = anonymous === 1 ? Messages.anonymousUser : Messages.anonymousUsers; - editUsersNames.push('' + anonymous + ' ' + text + ''); + $editUsers.push('' + anonymous + ' ' + text + ''); } if (numberOfViewUsers > 0) { var viewText = ''; if (numberOfEditUsers > 0) { - editUsersNames.push(''); + $editUsers.append('
'); viewText += Messages.and + ' '; } var viewerText = numberOfViewUsers !== 1 ? Messages.viewers : Messages.viewer; viewText += numberOfViewUsers + ' ' + viewerText + ''; - editUsersNames.push(viewText); - } - if (editUsersNames.length > 0) { - editUsersList += editUsersNames.join('
'); + $editUsers.append(viewText); } - var $usersTitle = $('').text(Messages.users); - var $editUsers = $userButtons.find('.' + USERLIST_CLS); - $editUsers.html('').append($usersTitle).append(editUsersList); // Update the buttons var fa_editusers = '';