github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-23 13:37:09 -04:00
Code Issues Projects Releases Packages Wiki Activity

Add some filename, if there is no filename after sanitize.

Browse source 
Thanks to xet7 !

Related https://github.com/wekan/wekan/pull/5083
This commit is contained in:
Lauri Ojansivu 2023-08-16 22:30:17 +03:00
parent 08afc05c38
commit 48dcd11af0
1 changed files with 8 additions and 4 deletions
Download patch file Download diff file Expand all files Collapse all files

12
client/components/cards/attachments.js
View file

@ -292,13 +292,17 @@ Template.cardAttachmentsPopup.events({
let uploads = [];
for (const file of files) {
const fileId = new ObjectID().toString();
const warning = "WARNING-XSS-SANITIZED-";
let fileName = DOMPurify.sanitize(file.name);
// If sanitized filename is not same as original filename,
// it could be XSS that is already fixed with sanitize,
// or just normal mistake, so it is not a problem.
// That is why here is no warning.
if (fileName !== file.name) {
// console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
// Add warning about XSS sanitized:
fileName = warning.concat(fileName);
// If filename is empty, only in that case add some filename
if (fileName.length === 0) {
fileName = 'Empty-filename-after-sanitize.txt';
}
}
const config = {