From 28e97808f51bed34a85b54873cf17f973965a8d2 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Wed, 16 Aug 2023 21:24:34 +0300
Subject: [PATCH] Add warning to beginning of sanitized filename.

Thanks to xet7!

Related https://github.com/wekan/wekan/pull/5083
---
 client/components/cards/attachments.js | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/client/components/cards/attachments.js b/client/components/cards/attachments.js
index 8a6b73072..757a61114 100644
--- a/client/components/cards/attachments.js
+++ b/client/components/cards/attachments.js
@@ -292,10 +292,13 @@ Template.cardAttachmentsPopup.events({
       let uploads = [];
       for (const file of files) {
         const fileId = new ObjectID().toString();
-        const fileName = DOMPurify.sanitize(file.name);
+        const warning = "WARNING-XSS-SANITIZED-";
+        let fileName = DOMPurify.sanitize(file.name);
 
         if (fileName !== file.name) {
-          console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
+          // console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
+          // Add warning about XSS sanitized:
+          fileName = warning.concat(fileName);
         }
 
         const config = {