Try to fix some security issues.

Thanks to responsible security disclosure contributors and xet7 !

client/components/cards/attachments.js

@@ -1,4 +1,5 @@
 import { ObjectID } from 'bson';
+import DOMPurify from 'isomorphic-dompurify';
 
 const filesize = require('filesize');
 const prettyMilliseconds = require('pretty-ms');
@@ -21,6 +22,9 @@ Template.attachmentsGalery.helpers({
     const ret = filesize(size);
     return ret;
   },
+  sanitize(value) {
+    return DOMPurify.sanitize(value);
+  },
 });
 
 Template.cardAttachmentsPopup.onCreated(function() {
@@ -49,6 +53,10 @@ Template.cardAttachmentsPopup.events({
       let uploads = [];
       for (const file of files) {
         const fileId = new ObjectID().toString();
+        // If filename is not same as sanitized filename, has XSS, then cancel upload
+        if (file.name !== DOMPurify.sanitize(file.name)) {
+          return false;
+        }
         const config = {
           file: file,
           fileId: fileId,