github-mirrors/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-04-23 13:37:09 -04:00
Code Issues Projects Releases Packages Wiki Activity

Rename files with possible XSS

Browse source 
Previously upload of such files would fail silently.
Now they are renamed to a sanitized version and a warning is printed in the console.
This commit is contained in:
Vid Smole 2023-08-16 18:51:40 +02:00
parent 998f3fe8a7
commit fa58d0ec3b
No known key found for this signature in database
GPG key ID: 85348A78371C84EB
1 changed files with 6 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

9
client/components/cards/attachments.js
View file

@ -292,13 +292,16 @@ Template.cardAttachmentsPopup.events({
let uploads = [];
for (const file of files) {
const fileId = new ObjectID().toString();
// If filename is not same as sanitized filename, has XSS, then cancel upload
if (file.name !== DOMPurify.sanitize(file.name)) {
return false;
const fileName = DOMPurify.sanitize(file.name);
if (fileName !== file.name) {
console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
}
const config = {
file: file,
fileId: fileId,
fileName: fileName,
meta: Utils.getCommonAttachmentMetaFrom(card),
chunkSize: 'dynamic',
};