From fa58d0ec3bd37ad02017097e7c0bf192a0f2ef8d Mon Sep 17 00:00:00 2001
From: Vid Smole <vid.smole@gmail.com>
Date: Wed, 16 Aug 2023 18:51:40 +0200
Subject: [PATCH] Rename files with possible XSS

Previously upload of such files would fail silently.
Now they are renamed to a sanitized version and a warning is printed in the console.
---
 client/components/cards/attachments.js | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/client/components/cards/attachments.js b/client/components/cards/attachments.js
index 43ae0e71c..8a6b73072 100644
--- a/client/components/cards/attachments.js
+++ b/client/components/cards/attachments.js
@@ -292,13 +292,16 @@ Template.cardAttachmentsPopup.events({
       let uploads = [];
       for (const file of files) {
         const fileId = new ObjectID().toString();
-        // If filename is not same as sanitized filename, has XSS, then cancel upload
-        if (file.name !== DOMPurify.sanitize(file.name)) {
-          return false;
+        const fileName = DOMPurify.sanitize(file.name);
+
+        if (fileName !== file.name) {
+          console.warn('Detected possible XSS in file: ', file.name + '. Renamed to: ', fileName + '.');
         }
+
         const config = {
           file: file,
           fileId: fileId,
+          fileName: fileName,
           meta: Utils.getCommonAttachmentMetaFrom(card),
           chunkSize: 'dynamic',
         };