From 48dcd11af0c7d1caef6bd1414280f9c106b2b926 Mon Sep 17 00:00:00 2001
From: Lauri Ojansivu <x@xet7.org>
Date: Wed, 16 Aug 2023 22:30:17 +0300
Subject: [PATCH] Add some filename, if there is no filename after sanitize.

Thanks to xet7 !

Related https://github.com/wekan/wekan/pull/5083
---
 client/components/cards/attachments.js | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/client/components/cards/attachments.js b/client/components/cards/attachments.js
index 757a61114..d28b88004 100644
--- a/client/components/cards/attachments.js
+++ b/client/components/cards/attachments.js
@@ -292,13 +292,17 @@ Template.cardAttachmentsPopup.events({
       let uploads = [];
       for (const file of files) {
         const fileId = new ObjectID().toString();
-        const warning = "WARNING-XSS-SANITIZED-";
         let fileName = DOMPurify.sanitize(file.name);
 
+        // If sanitized filename is not same as original filename,
+        // it could be XSS that is already fixed with sanitize,
+        // or just normal mistake, so it is not a problem.
+        // That is why here is no warning.
         if (fileName !== file.name) {
-          // console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
-          // Add warning about XSS sanitized:
-          fileName = warning.concat(fileName);
+          // If filename is empty, only in that case add some filename
+          if (fileName.length === 0) {
+            fileName = 'Empty-filename-after-sanitize.txt';
+          }
         }
 
         const config = {