Andreas/wekan
1
0
Fork 0
mirror of https://github.com/wekan/wekan.git synced 2025-12-22 10:20:14 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions 5

Add warning to beginning of sanitized filename.

Browse source 
Thanks to xet7!

Related https://github.com/wekan/wekan/pull/5083
This commit is contained in:
Lauri Ojansivu 2023-08-16 21:24:34 +03:00
parent 8a1c2e8860
commit 28e97808f5
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
client/components/cards/attachments.js
View file

@ -292,10 +292,13 @@ Template.cardAttachmentsPopup.events({
let uploads = []; let uploads = [];
for (const file of files) { for (const file of files) {
const fileId = new ObjectID().toString(); const fileId = new ObjectID().toString();
const fileName = DOMPurify.sanitize(file.name); const warning = "WARNING-XSS-SANITIZED-";
let fileName = DOMPurify.sanitize(file.name);
if (fileName !== file.name) { if (fileName !== file.name) {
console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.'); // console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
// Add warning about XSS sanitized:
fileName = warning.concat(fileName);
} }
const config = { const config = {